Bug 1466444
Summary: | selinux prevents NFS share from being used as gnocchi backend | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Luca Miccini <lmiccini> | ||||
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | ||||
Status: | CLOSED ERRATA | QA Contact: | Aharon Canan <acanan> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 10.0 (Newton) | CC: | ipilcher, jjoyce, lmiccini, marjones, mburns, mgrepl, oblaut, rhallise, slinaber, srevivo | ||||
Target Milestone: | z7 | Keywords: | Rebase, Triaged, ZStream | ||||
Target Release: | 10.0 (Newton) | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | openstack-selinux-0.8.11-1.el7ost | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-02-27 16:43:33 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Luca Miccini
2017-06-29 15:40:04 UTC
Please provide the full audit.log from a run in permissive. audit2allow does not always choose the right way to handle something like this for all cases. Created attachment 1293221 [details]
audit.log
Are we sure the NFS share for gnocchi should be var_lib_t instead of http_var_lib_t? I think it would work with the mount context as httpd_var_lib_t with no policy changes. With the context as noted, the above policy module would work assuming no other AVCs. adding needinfo for Lon's question (In reply to Lon Hohberger from comment #3) > Are we sure the NFS share for gnocchi should be var_lib_t instead of > http_var_lib_t? I think it would work with the mount context as > httpd_var_lib_t with no policy changes. Hi Lon, IIRC I've tried it and it didn't work because of some other component affected by the different context. Sorry if I can't be more precise as I don't have access to that environment anymore. I can try to set something up again once I am back from PTO. *** Bug 1493275 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0365 |