Bug 1280101
Summary: | rhel-osp-director: 8.0 - selinux errors on controllers. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Alexander Chuzhoy <sasha> | ||||||
Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Alexander Chuzhoy <sasha> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 7.0 (Kilo) | CC: | jschluet, kbasil, lhh, mburns, mgrepl, rhel-osp-director-maint, yeylon | ||||||
Target Milestone: | beta | Keywords: | Triaged | ||||||
Target Release: | 8.0 (Liberty) | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | openstack-selinux-0.6.45-1.el7ost | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2016-04-07 21:11:29 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Alexander Chuzhoy
2015-11-10 23:01:38 UTC
Created attachment 1092498 [details]
/var/log/messages
Created attachment 1092499 [details]
/var/log/audit/audit.log
I still the defualt_t issue again. This is caused because a dir is being created in the '/' directory that does not have the correct label. 'default_t' is assigned to a directory in '/' that hasn't had it's label restored or assigned. The fix for this is after you create '/<my_dir' run $ restorecon -Rv /<my_dir> . type=AVC msg=audit(1447195524.746:1877): avc: denied { execmem } for pid=12896 comm="nova-api" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=process This AVC is problematic. The type nova_t only exists on rhel7. Added in some optional policy for nova_t. Hopefully this should solve the issue or at least reveal what else could be causing the issue. Verified: Environment: openstack-selinux-0.6.48-1.el7ost.noarch With the new subject in mind , verified that there are no avc messages on controllers in /var/log/audit/audit.log. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0603.html |