Bug 1128957
Summary: | SELinux blocks nova-api from using tmp | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Richard Su <rwsu> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 20 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl | ||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-3.12.1-180.fc20 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-09-10 22:42:46 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
1ef02b3df5392fd9502d9479d79e6349f1fa9fb2 fixes this in git. cce9b39b71202349c898ec0b4b24d54ef766daa7 Actually is a better fix. commit 6b6791acb84b509d82bdf02893ced001746ab69d Author: Dan Walsh <dwalsh> Date: Tue Aug 12 08:11:05 2014 -0400 Lets label content created by nova domains as tmp_t content. https://github.com/selinux-policy/selinux-policy/commit/6b6791acb84b509d82bdf02893ced001746ab69d selinux-policy-3.12.1-180.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-180.fc20 Package selinux-policy-3.12.1-180.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-180.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-9454/selinux-policy-3.12.1-180.fc20 then log in and leave karma (feedback). With selinux-policy-3.12.1-180.fc20.noarch selinux-policy-targeted-3.12.1-180.fc20.noarch I am still seeing a similar set of errors with accessing tmpfs audit.log:type=AVC msg=audit(1408592858.319:51726): avc: denied { getattr } for pid=25352 comm="nova-api" name="/" dev="tmpfs" ino=7612 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem audit.log:type=AVC msg=audit(1408592858.323:51727): avc: denied { write } for pid=25352 comm="nova-api" name="/" dev="tmpfs" ino=7612 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir audit.log:type=AVC msg=audit(1408592858.323:51727): avc: denied { add_name } for pid=25352 comm="nova-api" name="sem.wUY5iY" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir audit.log:type=AVC msg=audit(1408592858.323:51727): avc: denied { create } for pid=25352 comm="nova-api" name="sem.wUY5iY" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file audit.log:type=AVC msg=audit(1408592858.323:51727): avc: denied { read write open } for pid=25352 comm="nova-api" path="/dev/shm/sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file audit.log:type=AVC msg=audit(1408592858.324:51728): avc: denied { link } for pid=25352 comm="nova-api" name="sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file audit.log:type=AVC msg=audit(1408592858.324:51729): avc: denied { getattr } for pid=25352 comm="nova-api" path="/dev/shm/sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file audit.log:type=AVC msg=audit(1408592858.324:51730): avc: denied { remove_name } for pid=25352 comm="nova-api" name="sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir audit.log:type=AVC msg=audit(1408592858.324:51730): avc: denied { unlink } for pid=25352 comm="nova-api" name="sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file Created attachment 929011 [details]
audit.log using selinux-policy-targeted-3.12.1-180.fc20.noarch
commit 9940830be7992b1c2560bd103951ad5d6ff52941 Author: Miroslav Grepl <mgrepl> Date: Thu Aug 21 09:08:41 2014 +0200 Call the proper interface fs_tmpfs_filetrans() in nova_domain_template(). diff --git a/nova.if b/nova.if index 2d705a8..ce897e2 100644 --- a/nova.if +++ b/nova.if @@ -49,7 +49,7 @@ template(`nova_domain_template',` manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) manage_lnk_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir }) - files_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir }) + fs_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir }) selinux-policy-3.12.1-180.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. With selinux-policy-3.12.1-181.fc20.noarch selinux-policy-targeted-3.12.1-181.fc20.noarch Seeing type=AVC msg=audit(1408661444.531:56625): avc: denied { getattr } for pid=30258 comm="nova-api" name="/" dev="tmpfs" ino=7612 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem [root@overcloud-controller0-lnix4hcttlx2 audit]# find / -inum 7612 /sys/devices/pci0000:00/0000:00:03.0/ata2/power/runtime_suspended_time /dev/shm /opt/stack/venvs/openstack/lib/python2.7/site-packages/keystoneclient/tests/v2_0/test_extensions.pyc Do I wait for -182? The version numbers in comments #3 and #5 are confusing. I'm guessing the majority of the problem got fixed in -181. Fixed in -182. |
Created attachment 925889 [details] audit.log Description of problem: When SELinux is in enforcing mode, nova-api fails on on certain tmpfs operations on /dev/shm type=AVC msg=audit(1404764447.847:287): avc: denied { search } for pid=3445 comm="nova-api" name="/" dev="tmpfs" ino=7206 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1404764803.222:887): avc: denied { write } for pid=4548 comm="nova-api" name="/" dev="tmpfs" ino=7206 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1404764956.108:1138): avc: denied { read write open } for pid=4980 comm="nova-api" path="/dev/shm/sem.evCqpX" dev="tmpfs" ino=79253 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1404765012.601:1239): avc: denied { link } for pid=5138 comm="nova-api" name="sem.V0iPmT" dev="tmpfs" ino=85190 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1404765012.601:1240): avc: denied { remove_name } for pid=5138 comm="nova-api" name="sem.V0iPmT" dev="tmpfs" ino=85190 scontext=sys type=AVC msg=audit(1404765106.415:1388): avc: denied { getattr } for pid=5354 comm="nova-api" path="/dev/shm/sem.S2pF2e" dev="tmpfs" ino=94592 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1404765106.415:1389): avc: denied { unlink } for pid=5354 comm="nova-api" name="sem.S2pF2e" dev="tmpfs" ino=94592 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-3.12.1-179.fc20.noarch selinux-policy-targeted-3.12.1-179.fc20.noarch upstream nova How reproducible: always Steps to Reproduce: 1. Deploy tripleo overcloud Actual results: nova-api fails to start Expected results: nova-api starts Additional info: