Bug 1395240 - Selinux block glance api on overcloud
Summary: Selinux block glance api on overcloud
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: 11.0 (Ocata)
Assignee: Lon Hohberger
QA Contact: Avi Avraham
Depends On:
Blocks: 1293435 1646932
TreeView+ depends on / blocked
Reported: 2016-11-15 13:56 UTC by Avi Avraham
Modified: 2020-06-11 13:05 UTC (History)
10 users (show)

Fixed In Version: openstack-selinux-0.8.5-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-05-17 19:46:30 UTC
Target Upstream Version:
tshefi: automate_bug+

Attachments (Terms of Use)
first go at selinux policy changes for glance/oslo.privsep (364 bytes, text/plain)
2016-11-17 17:10 UTC, Eric Harney
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:1245 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory 2017-05-17 23:01:50 UTC

Description Avi Avraham 2016-11-15 13:56:09 UTC
Description of problem:
While running glance on overcloud with cinder backend configuration the glance commands are failing due to selinux blocking of glance-api process 

sealert output 
SELinux is preventing /usr/bin/python2.7 from create access on the sock_file privsep.sock.
*****  Plugin catchall (100. confidence) suggests   **************************
If you believe that python2.7 should be allowed create access on the privsep.sock sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'glance-api' --raw | audit2allow -M my-glanceapi
# semodule -i my-glanceapi.pp
Additional Information:
Source Context                system_u:system_r:glance_api_t:s0
Target Context                system_u:object_r:glance_tmp_t:s0
Target Objects                privsep.sock [ sock_file ]
Source                        glance-api
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.7.5-48.el7.x86_64
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-102.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     controller-0.localdomain
Platform                      Linux controller-0.localdomain
                              3.10.0-513.el7.x86_64 #1 SMP Wed Oct 12 09:41:28
                              EDT 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-11-15 12:27:02 UTC
Last Seen                     2016-11-15 12:27:02 UTC
Local ID                      32bbd164-bc85-43a9-a94e-3c3a7a8b6db8
Raw Audit Messages
type=AVC msg=audit(1479212822.497:463): avc:  denied  { create } for  pid=4322 comm="glance-api" name="privsep.sock" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:glance_tmp_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1479212822.497:463): arch=x86_64 syscall=bind success=yes exit=0 a0=a a1=7ffdcbe57080 a2=1d a3=706d742f706d742f items=0 ppid=2272 pid=4322 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-api exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Install RHOS10 with Cinder as Glance backend  
2. run the following command openstack image create --name image1

Actual results:
error 503 permission denied

Expected results:
the command successfully passed

Additional info:

Comment 2 Cyril Roelandt 2016-11-16 14:05:40 UTC
I do not think that Glance knows about SELinux. Shouldn't this be a triple-o bug?

Comment 3 Avi Avraham 2016-11-17 11:13:40 UTC
Moved to SElinux team

Comment 4 Eric Harney 2016-11-17 17:10:14 UTC
Created attachment 1221609 [details]
first go at selinux policy changes for glance/oslo.privsep

I've assembled this policy while testing the cinder driver for glance.

This enables Glance to load oslo.privsep:  a privsep.sock file is created in /tmp/<random>/privsep.sock, which is used to communicate between the original glance-api process and the privileged child process.

The execute permission is required for the sudo exec of the child privsep process.

Comment 12 Avi Avraham 2017-04-20 12:10:33 UTC
Verified RPM install
# rpm -q openstack-selinux
# openstack-selinux-0.8.5-8.el7ost.noarch

Can not verify full functionality since other components that are depending on this configuration are not released in the current version.

Comment 13 errata-xmlrpc 2017-05-17 19:46:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.