+++ This bug was initially created as a clone of Bug #1671514 +++ +++ This bug was initially created as a clone of Bug #1489863 +++ Since nis_enabled is not automatically enabled, some deployments with custom ports are not working. ~~~ type=AVC msg=audit(1548880833.900:153941): avc: denied { name_connect } for pid=4841 comm="glance-registry" dest=13357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket Was caused by: The boolean nis_enabled was set incorrectly. Description: Allow nis to enabled Allow access by executing: # setsebool -P nis_enabled 1 ~~~ Step to reproduce: - Deploy 10z9 with custom keystone port - Spawn a stack Actual result: Glance registry fails with this traceback [1] Workaround: setsebool -P nis_enabled on [1] ~~~ 2019-01-31 11:16:07.334 4883 WARNING keystoneauth.identity.generic.base [-] Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. 2019-01-31 11:16:07.336 4883 INFO eventlet.wsgi.server [-] Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 481, in handle_one_response result = self.application(self.environ, start_response) File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__ resp = self.call_func(req, *args, **self.kwargs) File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func return self.func(req, *args, **kwargs) File "/usr/lib/python2.7/site-packages/oslo_middleware/base.py", line 126, in __call__ response = req.get_response(self.application) File "/usr/lib/python2.7/site-packages/webob/request.py", line 1299, in send application, catch_exc_info=False) File "/usr/lib/python2.7/site-packages/webob/request.py", line 1263, in call_application app_iter = application(self.environ, start_response) File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__ resp = self.call_func(req, *args, **self.kwargs) File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func return self.func(req, *args, **kwargs) File "/usr/lib/python2.7/site-packages/osprofiler/web.py", line 108, in __call__ return request.get_response(self.application) File "/usr/lib/python2.7/site-packages/webob/request.py", line 1299, in send application, catch_exc_info=False) File "/usr/lib/python2.7/site-packages/webob/request.py", line 1263, in call_application app_iter = application(self.environ, start_response) File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__ resp = self.call_func(req, *args, **self.kwargs) File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func return self.func(req, *args, **kwargs) File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 320, in __call__ response = self.process_request(req) File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 552, in process_request resp = super(AuthProtocol, self).process_request(request) File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 348, in process_request data, user_auth_ref = self._do_fetch_token(request.user_token) File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 388, in _do_fetch_token data = self.fetch_token(token) File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 684, in fetch_token data = self._identity_server.verify_token(token) File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 214, in verify_token auth_ref = self._request_strategy.verify_token(user_token) File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 166, in _request_strategy strategy_class = self._get_strategy_class() File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 188, in _get_strategy_class if self._adapter.get_endpoint(version=klass.AUTH_VERSION): File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 146, in get_endpoint return self.session.get_endpoint(auth or self.auth, **kwargs) File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 795, in get_endpoint return auth.get_endpoint(self, **kwargs) File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 212, in get_endpoint service_catalog = self.get_access(session).service_catalog File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access self.auth_ref = self.get_auth_ref(session) File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 179, in get_auth_ref self._plugin = self._do_create_plugin(session) File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 174, in _do_create_plugin raise exceptions.DiscoveryFailure('Could not determine a suitable URL ' DiscoveryFailure: Could not determine a suitable URL for the plugin ~~~ --- Additional comment from David Vallee Delisle on 2019-02-06 13:16:29 UTC --- They have: openstack-selinux-0.8.14-13.el7ost.noarch [1] If that can help, here's the infringed policy. This is a very specific use case where they use port 13357 for keystone because they followed our recommendation [2] ~~~ # sepolicy network -a /usr/bin/glance-registry glance_registry_t: tcp name_connect 111 (portmap_port_t) -- Allowed True [ nis_enabled=1 ] 11211 (memcache_port_t) 113 (auth_port_t) -- Allowed True [ daemons_use_tcp_wrapper=0 || nis_enabled=1 ] 389, 636, 3268, 3269, 7389 (ldap_port_t) -- Allowed True [ nis_enabled=1 || authlogin_nsswitch_use_ldap=0 ] 4444, 1186, 3306, 63132-63164 (mysqld_port_t) 32768-61000 (ephemeral_port_t) 32768-61000 (ephemeral_port_t) 35357 (keystone_port_t) 5000 (commplex_main_port_t) 53 (dns_port_t) 80, 81, 443, 488, 8008, 8009, 8443, 9000 (http_port_t) 88, 750, 4444 (kerberos_port_t) -- Allowed True [ nis_enabled=1 || kerberos_enabled=1 ] 8955 (dnssec_port_t) 9080 (ocsp_port_t) -- Allowed True [ kerberos_enabled=1 ] all ports < 1024 (reserved_port_type) -- Allowed True [ nis_enabled=1 ] all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ] glance_registry_t: tcp name_bind 32768-61000 (ephemeral_port_t) -- Allowed True [ nis_enabled=1 ] 9191 (glance_registry_port_t) all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ] glance_registry_t: udp name_bind 32768-61000 (ephemeral_port_t) -- Allowed True [ nis_enabled=1 ] all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ] ~~~ --- Additional comment from Julie Pichon on 2019-02-08 10:41:13 UTC --- Thank you for the reply and additional information. After investigating further, it looks like the issue that caused the booleans to not get picked up in some contexts was resolved, so reenabling this one for now should be ok.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0564