Bug 1325623
Summary: | SELinux is preventing httpd from open access on the file /var/log/cinder/cinder-api.log | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Emilien Macchi <emacchi> | ||||||
Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Udi Shkalim <ushkalim> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 9.0 (Mitaka) | CC: | dnavale, eharney, hguemar, lhh, mgrepl, oblaut, srevivo | ||||||
Target Milestone: | ga | ||||||||
Target Release: | 9.0 (Mitaka) | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | openstack-selinux-0.7.2-1.el7ost | Doc Type: | Bug Fix | ||||||
Doc Text: |
Previously, running the Block Storage API in WSGI with Apache and SELinux in the 'enforce' mode resulted in an AVC, as SELinux prevented the '/usr/sbin/httpd' from access to the '/var/log/cinder/cinder-api.log' file.
With this update, 'httpd' is allowed access to the Block Storage API log file. As a result, the Block Storage API in WSGI runs without AVCs.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2016-08-11 12:15:59 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Emilien Macchi
2016-04-10 03:12:39 UTC
Just need acks and I'll build openstack-selinux-0.6.59 I still have an AVC with 0.6.59: type=AVC msg=audit(1460418573.405:3254): avc: denied { write } for pid=2191 comm="httpd" name="cinder" dev="vda1" ino=117531620 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=dir type=SYSCALL msg=audit(1460418573.405:3254): arch=c000003e syscall=2 success=no exit=-13 a0=7f814a5f8530 a1=441 a2=1b6 a3=24 items=0 ppid=2176 pid=2191 auid=4294967295 uid=165 gid=165 euid=165 suid=165 fsuid=165 egid=165 sgid=165 fsgid=165 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) SELinux is preventing /usr/sbin/httpd from write access on the directory cinder. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that httpd should be allowed write access on the cinder directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:cinder_log_t:s0 Target Objects cinder [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host <Unknown> Source RPM Packages httpd-2.4.6-40.el7.centos.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name jenkins Platform Linux jenkins 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-04-11 23:50:46 UTC Last Seen 2016-04-11 23:50:46 UTC Local ID c6a6dc1b-96d6-4162-b2eb-4c53ea713210 Raw Audit Messages type=AVC msg=audit(1460418646.779:3276): avc: denied { write } for pid=2209 comm="httpd" name="cinder" dev="vda1" ino=117531620 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=dir type=SYSCALL msg=audit(1460418646.779:3276): arch=x86_64 syscall=open success=no exit=EACCES a0=7f81380113c0 a1=441 a2=1b6 a3=24 items=0 ppid=2176 pid=2209 auid=4294967295 uid=165 gid=165 euid=165 suid=165 fsuid=165 egid=165 sgid=165 fsgid=165 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,cinder_log_t,dir,write Created attachment 1146169 [details]
Fix httpd write in cinder log directory
Should fix the last issue
Created attachment 1146172 [details]
Fix httpd write in cinder log directory
Update patch
The fix works fine, Puppet OpenStack CI is current gating on this package to deploy Cinder in WSGI app with apache: https://github.com/openstack/puppet-openstack-integration/blob/master/manifests/cinder.pp#L69 Based on comment 8 - verified. openstack-selinux-0.7.3-3.el7ost.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1597.html |