Bug 1268124
Summary: | Nova rootwrap-daemon requires a selinux exception | ||
---|---|---|---|
Product: | [Community] RDO | Reporter: | David Moreau Simard <dmsimard> |
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> |
Status: | CLOSED EOL | QA Contact: | Ofer Blaut <oblaut> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | trunk | CC: | apevec, dmsimard, lhh, srevivo |
Target Milestone: | --- | ||
Target Release: | Kilo | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-05-19 15:51:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Moreau Simard
2015-10-01 21:20:58 UTC
There are probably more AVCs to add, run permissive and collect them all. This is the only rule needed it seems: # grep nova-rootwrap-d /var/log/audit/audit.log | audit2allow #============= nova_api_t ============== allow nova_api_t nova_api_tmp_t:sock_file { create unlink getattr setattr write }; Adding that as follows allows nova-api to start and I've confirmed that commands are now executed through the rootwrap daemon # grep nova-rootwrap-d /var/log/audit/audit.log | audit2allow -M nova-rootwrap-d # semodule -i nova-rootwrap-d.pp p.s. I added the 'write' in manually to the above as that was reported as a subsequent denial only after the initial functions were allowed. This bug is against a Version which has reached End of Life. If it's still present in supported release (http://releases.openstack.org), please update Version and reopen. |