Bug 1170223

Summary: Need selinux policy for OpenStack Keystone running in Apache with mod_wsgi
Product: [Fedora] Fedora Reporter: Rich Megginson <rmeggins>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 21CC: apevec, dominick.grift, dwalsh, ebenes, extras-qa, lvrabec, markmc, mgrepl, mmagr, mmalik, nfritz, nkinder, plautrba, rmeggins, ukalifon, yeylon
Target Milestone: ---Keywords: Reopened, Tracking
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: selinux-policy-3.13.1-105.19.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1170218
: 1170224 (view as bug list) Environment:
Last Closed: 2015-07-14 15:50:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1111274, 1122764, 1122767, 1138424, 1170218, 1180230    
Bug Blocks: 1123117, 1126594, 1154615, 1170224, 1170225, 1170370, 1170372    
Description Flags
audit.log httpd related messages
audit2allow -a -w output
audit2allow -a -R output none

Comment 1 Rich Megginson 2015-04-07 14:26:45 UTC
I am reopening this bug.  There are still httpd related AVCs with Keystone on F21.

Comment 2 Rich Megginson 2015-04-07 14:27:29 UTC
Created attachment 1011795 [details]
audit.log httpd related messages

Comment 3 Rich Megginson 2015-04-07 14:28:03 UTC
Created attachment 1011796 [details]
audit2allow -a -w output

Comment 4 Rich Megginson 2015-04-07 14:28:30 UTC
Created attachment 1011797 [details]
audit2allow -a -R output

Comment 5 Rich Megginson 2015-04-07 14:29:14 UTC
We need this fixed ASAP as it is causing a lot of problems for people trying to deploy OpenStack on F21.

Comment 6 Lukas Vrabec 🐦 2015-04-08 15:39:17 UTC
Do you have some reproducer?

Comment 8 Rich Megginson 2015-04-23 14:18:53 UTC
Failed again: https://bugzilla.redhat.com/show_bug.cgi?id=1207098#c20

Comment 9 Miroslav Grepl 2015-05-12 08:24:17 UTC
commit f6fdaaaba8065f3f727f1360bd505cd78b154c21
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue May 12 10:21:03 2015 +0200

    Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098)

commit d7d35ca3d310bb042e7d51565edb1d1b9e162436
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue May 12 10:14:26 2015 +0200

    Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.

Comment 10 Fedora Update System 2015-06-24 12:28:52 UTC
selinux-policy-3.13.1-105.18.fc21 has been submitted as an update for Fedora 21.

Comment 11 Fedora Update System 2015-06-25 08:22:31 UTC
Package selinux-policy-3.13.1-105.18.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.18.fc21'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 12 Fedora Update System 2015-06-30 07:31:20 UTC
selinux-policy-3.13.1-105.19.fc21 has been submitted as an update for Fedora 21.

Comment 13 Fedora Update System 2015-07-14 15:50:19 UTC
selinux-policy-3.13.1-105.19.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.