tripleo

nova-api fails to start when SELinux is in enforcing mode

Bug #1344452 reported by Richard Su on 2014-07-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Richard Su

Bug Description

nova-api logs report

Jul 18 22:30:52 localhost nova-api[3431]: 2014-07-18 22:30:52.144 3431 TRACE nova File "/opt/stack/venvs/nova/lib/python2.7/site-packages/nova/openstack/common/processutils.py", line 200, in execute
Jul 18 22:30:52 localhost nova-api[3431]: 2014-07-18 22:30:52.144 3431 TRACE nova cmd=' '.join(cmd))
Jul 18 22:30:52 localhost nova-api[3431]: 2014-07-18 22:30:52.144 3431 TRACE nova ProcessExecutionError: Unexpected error while running command.
Jul 18 22:30:52 localhost nova-api[3431]: 2014-07-18 22:30:52.144 3431 TRACE nova Command: sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c
Jul 18 22:30:52 localhost nova-api[3431]: 2014-07-18 22:30:52.144 3431 TRACE nova Exit code: 97
Jul 18 22:30:52 localhost nova-api[3431]: 2014-07-18 22:30:52.144 3431 TRACE nova Stdout: ''
Jul 18 22:30:52 localhost nova-api[3431]: 2014-07-18 22:30:52.144 3431 TRACE nova Stderr: '/usr/local/bin/nova-rootwrap: Incorrect configuration file: /etc/nova/rootwrap.conf\n'
Jul 18 22:30:52 localhost nova-api[3431]: 2014-07-18 22:30:52.144 3431 TRACE nova
Jul 18 22:30:52 localhost systemd[1]: nova-api.service: main process exited, code=exited, status=1/FAILURE
Jul 18 22:30:52 localhost systemd[1]: Unit nova-api.service entered failed state.

/var/log/audit/audit.log shows

type=AVC msg=audit(1405722652.112:335): avc: denied { dac_override } for pid=3812 comm="nova-rootwrap" capability=1 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=capability
type=AVC msg=audit(1405722652.112:335): avc: denied { dac_read_search } for pid=3812 comm="nova-rootwrap" capability=2 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=capability

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-18: Fix proposed to tripleo-image-elements (master)

Fix proposed to branch: master
Review: https://review.openstack.org/108172

Changed in tripleo:
assignee:	nobody → Richard Su (rwsu)
status:	New → In Progress

Richard Su (rwsu) on 2014-07-23

Changed in tripleo:
importance:	Undecided → High

Revision history for this message

Richard Su (rwsu) wrote on 2014-07-31:

Filed https://bugzilla.redhat.com/show_bug.cgi?id=1125458

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-12: Fix merged to tripleo-image-elements (master)

Reviewed: https://review.openstack.org/108172
Committed: https://git.openstack.org/cgit/openstack/tripleo-image-elements/commit/?id=b179aa121c600801220b9181d9a2676a19f5acb9
Submitter: Jenkins
Branch: master

commit b179aa121c600801220b9181d9a2676a19f5acb9
Author: Richard Su <email address hidden>
Date: Fri Jul 18 14:54:16 2014 -0700

Fix /etc/nova permissions

    nova-api does not start when SELinux is in enforcing mode.
    A dac_override error is logged. Changing the permissions to
    root.nova fixes the issue.

Bug: 1344452
Change-Id: I023c6394a6e4d9c8ee661a8403171b4975124943

Changed in tripleo:
status:	In Progress → Fix Committed

James Slagle (james-slagle) on 2014-08-15

Changed in tripleo:
status:	Fix Committed → Fix Released

Charles Crouch (ccrouch) on 2014-08-27

tags:

added: selinux

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

redhat-bugs #1125458
[CLOSED NOTABUG] Edit

Bug watches keep track of this bug in other bug trackers.