Bug 1268124
| Summary: | Nova rootwrap-daemon requires a selinux exception | ||
|---|---|---|---|
| Product: | [Community] RDO | Reporter: | David Moreau Simard <dmsimard> |
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> |
| Status: | CLOSED EOL | QA Contact: | Ofer Blaut <oblaut> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | trunk | CC: | apevec, dmsimard, lhh, srevivo |
| Target Milestone: | --- | ||
| Target Release: | Kilo | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-19 15:51:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Moreau Simard
2015-10-01 21:20:58 UTC
There are probably more AVCs to add, run permissive and collect them all. This is the only rule needed it seems:
# grep nova-rootwrap-d /var/log/audit/audit.log | audit2allow
#============= nova_api_t ==============
allow nova_api_t nova_api_tmp_t:sock_file { create unlink getattr setattr write };
Adding that as follows allows nova-api to start and I've
confirmed that commands are now executed through the rootwrap daemon
# grep nova-rootwrap-d /var/log/audit/audit.log | audit2allow -M nova-rootwrap-d
# semodule -i nova-rootwrap-d.pp
p.s. I added the 'write' in manually to the above as that was reported as a subsequent denial only after the initial functions were allowed.
This bug is against a Version which has reached End of Life. If it's still present in supported release (http://releases.openstack.org), please update Version and reopen. |