Bug 1203910

Summary: Keystone requires keystone_t self:process signal;
Product: [Community] RDO Reporter: daniel
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED EOL QA Contact: Ofer Blaut <oblaut>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: JunoCC: srevivo
Target Milestone: ---   
Target Release: Kilo   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-19 16:03:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description daniel 2015-03-19 23:28:28 UTC 
Description of problem:
OpenStack keystone needs the following policy:

#============= keystone_t ==============
allow keystone_t self:process signal;

or else will throw an Error on startup. Certain LDAP-related functionality does not work without that policy too.

Version-Release number of selected component (if applicable):
Name        : openstack-selinux
Version     : 0.5.19
Release     : 2.el7ost
From repo   : openstack-juno

Name        : openstack-keystone
Version     : 2014.2.2
Release     : 1.el7
From repo   : openstack-juno

How reproducible:
Start openstack-keystone

Actual results:
/var/log/keystone/keystone.log will contain:
2015-03-19 19:26:12.606 17546 CRITICAL keystone [-] OSError: [Errno 13] Permission denied
2015-03-19 19:26:12.606 17546 TRACE keystone Traceback (most recent call last):
2015-03-19 19:26:12.606 17546 TRACE keystone   File "/usr/bin/keystone-all", line 164, in <module>
2015-03-19 19:26:12.606 17546 TRACE keystone     serve(*servers)
2015-03-19 19:26:12.606 17546 TRACE keystone   File "/usr/bin/keystone-all", line 104, in serve
2015-03-19 19:26:12.606 17546 TRACE keystone     launcher.wait()
2015-03-19 19:26:12.606 17546 TRACE keystone   File "/usr/lib/python2.7/site-packages/keystone/openstack/common/service.py", line 410, in wait
2015-03-19 19:26:12.606 17546 TRACE keystone     self.stop()
2015-03-19 19:26:12.606 17546 TRACE keystone   File "/usr/lib/python2.7/site-packages/keystone/openstack/common/service.py", line 417, in stop
2015-03-19 19:26:12.606 17546 TRACE keystone     os.kill(pid, signal.SIGTERM)
2015-03-19 19:26:12.606 17546 TRACE keystone OSError: [Errno 13] Permission denied
2015-03-19 19:26:12.606 17546 TRACE keystone 

Expected results:
No such error should appear.

Additional info:

# audit2allow -a

#============= keystone_t ==============
allow keystone_t self:process signal;

#============= nova_api_t ==============
allow nova_api_t gconf_home_t:dir search;
Comment 1 Chandan Kumar 2016-05-19 16:03:22 UTC 
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.