Bug 826674 - [abrt] openstack-glance-2012.1-4.fc17: client.py:549:_do_request:ServerError: The request returned 500 Internal Server Error
[abrt] openstack-glance-2012.1-4.fc17: client.py:549:_do_request:ServerError:...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
abrt_hash:34cb03fcfec31b3543efbc5ea91...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-30 14:16 EDT by David Busby
Modified: 2012-06-16 20:05 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-16 20:05:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: backtrace (8.99 KB, text/plain)
2012-05-30 14:16 EDT, David Busby
no flags Details

  None (edit)
Description David Busby 2012-05-30 14:16:36 EDT
libreport version: 2.0.10
abrt_version:   2.0.10
cmdline:        /usr/bin/python /usr/bin/glance --debug index
executable:     /usr/bin/glance
kernel:         3.3.7-1.fc16.x86_64
time:           Wed 30 May 2012 07:09:12 PM BST
uid:            1000
username:       david

backtrace:      Text file, 9207 bytes

comment:
:working through the http://fedoraproject.org/wiki/Getting_started_with_OpenStack_on_Fedora_17 page, glance seems to have issues communicating back with keystone
:
:glance/registry.log
:---
:2012-05-30 19:09:11 11131    ERROR [keystone.middleware.auth_token] HTTP connection exception: [Errno 13] EACCES
:2012-05-30 19:09:11 11131 CRITICAL [keystone.middleware.auth_token] Unable to obtain admin token: Unable to communicate with keystone
:---
Comment 1 David Busby 2012-05-30 14:16:43 EDT
Created attachment 587796 [details]
File: backtrace
Comment 2 David Busby 2012-05-30 14:50:06 EDT
I've been doing some futher investgaiton and I can say this is due to selinux,

$> sudo setenforce 0
$> glance index
$>

---
    type=AVC msg=audit(1338399689.454:257): avc: denied { read } for pid=7917 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338399689.461:258): avc: denied { read } for pid=7920 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338399689.493:259): avc: denied { execute } for pid=7926 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338399689.494:260): avc: denied { execute } for pid=7928 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338399689.496:261): avc: denied { execute } for pid=7929 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338399689.498:262): avc: denied { execute } for pid=7930 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400844.863:552): avc: denied { read } for pid=10772 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338400844.869:553): avc: denied { read } for pid=10774 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338400844.996:554): avc: denied { execute } for pid=10784 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400844.998:555): avc: denied { execute } for pid=10785 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400845.001:556): avc: denied { execute } for pid=10786 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400845.005:557): avc: denied { execute } for pid=10788 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400852.211:558): avc: denied { name_connect } for pid=10771 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338400946.881:610): avc: denied { read } for pid=11132 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338400946.887:611): avc: denied { read } for pid=11135 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338400947.013:612): avc: denied { execute } for pid=11145 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400947.020:613): avc: denied { execute } for pid=11146 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400947.022:614): avc: denied { execute } for pid=11149 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400947.024:615): avc: denied { execute } for pid=11150 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400963.049:616): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338401351.939:625): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338402425.722:633): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338402829.487:634): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338402880.130:635): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338403413.798:647): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338403483.311:664): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338403496.166:670): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338403565.434:676): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
---

will run it through audit2allow to generate polcies and update this ticket with the result shortly
Comment 3 David Busby 2012-05-30 15:12:19 EDT
---
grep glance /var/log/audit/audit.log | grep denied | audit2allow 
WARNING: Policy would be downgraded from version 27 to 26.


#============= glance_api_t ==============
allow glance_api_t passwd_file_t:file read;

#============= glance_registry_t ==============
allow glance_registry_t ephemeral_port_t:tcp_socket name_connect;
allow glance_registry_t shell_exec_t:file execute;


 grep glance /var/log/audit/audit.log | grep denied | audit2allow -M openstack-glance
WARNING: Policy would be downgraded from version 27 to 26.
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i openstack-glance.pp


semodule -i openstack-glance.pp
---

This resolves the immediate issue, however I do not know enough about SELinux at this time to interpret the Warning message about the downgrade, I can however confirm going through this process allows glance index to function.
Comment 4 Daniel Walsh 2012-06-04 11:44:09 EDT
Fixed in selinux-policy-3.10.0-129.fc17
Comment 5 Fedora Update System 2012-06-11 17:03:13 EDT
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Comment 6 Fedora Update System 2012-06-15 20:00:07 EDT
Package selinux-policy-3.10.0-130.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-06-16 20:05:02 EDT
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.