Bug 1475378

Summary: SELinux policy blocks Cinder backend for Glance
Product: Red Hat OpenStack Reporter: Eric Harney <eharney>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Mike Abrams <mabrams>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: cyril, eharney, mburns, mgrepl, pgrist, rhallise, srevivo, tshefi, tvignaud
Target Milestone: gaKeywords: Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.8-0.20170804200925.ad96ed3.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-13 21:44:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1293435, 1646932    
Attachments:
Description Flags
audit.log in permissive mode none

Description Eric Harney 2017-07-26 14:18:19 UTC 
Created attachment 1304822 [details]
audit.log in permissive mode

Description of problem:
SELinux policy needs additions to support the Cinder backend for Glance

Version-Release number of selected component (if applicable):
OSP12


Steps to Reproduce:
1. Configure Cinder backend for Glance
2. Attempt to upload an image from a file to Glance


Actual results:
Fails w/ HTTP 500


Additional info:
The Cinder backend for Glance uses os-brick and oslo.privsep to connect to volumes, which is different from other Glance backends.

A previous attempt to address this same case is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1395240

Note: it is not possible to test this out of the box on OSP12 today because some configuration changes in the Glance packages that have not yet landedg.  (These were configured by hand on the test machine used to generate the audit log here.)
Comment 1 Lon Hohberger 2017-08-04 19:03:23 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/5002b373a03c3910cc7a5fbd94468e8e3b84d55c
Comment 5 Paul Grist 2017-11-15 03:01:35 UTC 
Does the verification of the glance-cinder backend effectively verify this one?
Comment 6 Lon Hohberger 2017-12-01 20:00:48 UTC 
I'd think so
Comment 7 Eric Harney 2017-12-01 20:20:17 UTC 
Yes, I agree.
Comment 11 errata-xmlrpc 2017-12-13 21:44:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462