Bug 1144139

Summary: Juno: openstack selinux issues
Product: [Community] RDO Reporter: wes hayutin <whayutin>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED CURRENTRELEASE QA Contact: Ofer Blaut <oblaut>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, lars, ltoscano, mmagr, yeylon
Target Milestone: Milestone3   
Target Release: Juno   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-28 11:20:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
install and run logs none

Description wes hayutin 2014-09-18 18:44:36 UTC 
Created attachment 939011 [details]
install and run logs

Description of problem:

Selinux issues found in a basic juno packstack install

"type=AVC msg=audit(1411064503.680:4943): avc:  denied  { create } for  pid=12850 comm=\"glance-api\" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=unix_dgram_socket", 

"type=AVC msg=audit(1411064503.680:4944): avc:  denied  { connect } for  pid=12850 comm=\"glance-api\" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=unix_dgram_socket", 

"type=AVC msg=audit(1411064527.439:5190): avc:  denied  { getattr } for  pid=13479 comm=\"nova-api\" name=\"/\" dev=\"tmpfs\" ino=6156 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem", 

"type=AVC msg=audit(1411064527.439:5191): avc:  denied  { write } for  pid=13479 comm=\"nova-api\" name=\"/\" dev=\"tmpfs\" ino=6156 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir", 

"type=AVC msg=audit(1411064527.439:5191): avc:  denied  { add_name } for  pid=13479 comm=\"nova-api\" name=\"sem.s8Uhnq\" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir", 

"type=AVC msg=audit(1411064527.439:5191): avc:  denied  { create } for  pid=13479 comm=\"nova-api\" name=\"sem.s8Uhnq\" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file", 

"type=AVC msg=audit(1411064527.439:5191): avc:  denied  { read write open } for  pid=13479 comm=\"nova-api\" path=\"/dev/shm/sem.s8Uhnq\" dev=\"tmpfs\" ino=93547 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file", 

"type=AVC msg=audit(1411064527.439:5192): avc:  denied  { link } for  pid=13479 comm=\"nova-api\" name=\"sem.s8Uhnq\" dev=\"tmpfs\" ino=93547 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file", 

"type=AVC msg=audit(1411064527.439:5193): avc:  denied  { getattr } for  pid=13479 comm=\"nova-api\" path=\"/dev/shm/sem.s8Uhnq\" dev=\"tmpfs\" ino=93547 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file", 

"type=AVC msg=audit(1411064527.439:5194): avc:  denied  { remove_name } for  pid=13479 comm=\"nova-api\" name=\"sem.s8Uhnq\" dev=\"tmpfs\" ino=93547 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir", 

"type=AVC msg=audit(1411064527.439:5194): avc:  denied  { unlink } for  pid=13479 comm=\"nova-api\" name=\"sem.s8Uhnq\" dev=\"tmpfs\" ino=93547 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file"
Comment 1 wes hayutin 2014-10-02 14:54:28 UTC 
*** Bug 1148474 has been marked as a duplicate of this bug. ***
Comment 2 wes hayutin 2014-10-02 14:54:59 UTC 
*** Bug 1139771 has been marked as a duplicate of this bug. ***
Comment 3 Alan Pevec 2014-10-28 11:20:04 UTC 
openstack-selinux in RDO EL7 was updated to openstack-selinux-0.5.19-2
and RDO Fedora includes patched selinux-policy-3.13.1-91rdo
* Fri Oct 24 2014 Lon Hohberger <lhh> 3.13.1-91rdo.1
- Import fixes from openstack-selinux