978568 – Horizon needs setsebool for httpd, missing from packstack puppet modules

Bug 978568 - Horizon needs setsebool for httpd, missing from packstack puppet modules

Summary: Horizon needs setsebool for httpd, missing from packstack puppet modules

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-foreman-installer
Sub Component:
Version:	3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	async
Target Release:	3.0
Assignee:	Jordan OMara
QA Contact:	Nir Magnezi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-26 20:04 UTC by Jordan OMara
Modified:	2014-11-09 22:56 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ruby193-openstack-foreman-installer-0.0.18-2.el6ost
Doc Type:	Bug Fix
Doc Text:	When deploying the Dashboard (Horizon) Foreman was not importing all required Puppet modules. As a result an SELinux boolean required to allow the web server (httpd) to run with SELinux set to enforcing mode was not set correctly. The additional Puppet modules are now included and httpd is able to run when SELinux is set to enforcing mode on new deployments performed using Foreman.
Clone Of:
Environment:
Last Closed:	2013-07-10 15:42:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1020	0	normal	SHIPPED_LIVE	Red Hat OpenStack 3.0 bug fix advisory	2013-07-10 19:40:46 UTC

Description Jordan OMara 2013-06-26 20:04:51 UTC

Foreman imports packstack-puppet-modules RPM, which do not actually contain all of the puppet code necessary to finish setting up horizon. Namely, it is missing a setsebool that allows httpd to run in ENFORCING mode

Fix: add the necessary changes to the foreman installer for proper ENFORCING mode on horizon host

Comment 2 Nir Magnezi 2013-07-07 09:44:24 UTC

(In reply to Jordan OMara from comment #0)
> Foreman imports packstack-puppet-modules RPM, which do not actually contain
> all of the puppet code necessary to finish setting up horizon. Namely, it is
> missing a setsebool that allows httpd to run in ENFORCING mode
> 
> Fix: add the necessary changes to the foreman installer for proper ENFORCING
> mode on horizon host

I'm missing some info regarding this fix.
1. Where is this boolean located? (What was added exactly? a file? a line in a file? a package?) 
2. Can you provide a URL for the fix commit?

Comment 3 Jordan OMara 2013-07-09 13:06:37 UTC

Verified : 
ruby193-openstack-foreman-installer-0.0.18-2.el6ost.x86_64

[root@virtlab-cloud-13 ~]# getsebool httpd_can_network_connect
httpd_can_network_connect --> on

&& horizon works in ENFORCING mode after policy installation


@nir : 
upstream commit: https://github.com/jsomara/astapor/commit/1de29090a96387a5291c6fef40c248cf321c7a39 
uses puppet to manually flip the selinux bool

Comment 5 errata-xmlrpc 2013-07-10 15:42:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1020.html

Note You need to log in before you can comment on or make changes to this bug.