Bug 995779
| Summary: | Packstack needs to enable more sebools | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Sandro Mathys <sandro> |
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | derekh, itamar, Jan.van.Eldik, lhh, mmagr, p, sandro |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-03 20:43:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This should be done in openstack-selinux package I guess. We either did this (EPEL RDO) or it doesn't apply to Fedora (which doesn't have openstack-selinux) |
Description of problem: OpenStack causes a few SELinux AVC denials after being installed with Packstack and some could be prevented by enabling two more SELinux Booleans. Version-Release number of selected component (if applicable): Current RDO Havana M2 on F19 How reproducible: dunno Steps to Reproduce: 1. packstack --all-in-one --os-quantum-install=n 2. cat /var/log/audit/audit.log | audit2allow 3. Actual results: #============= rsync_t ============== #!!!! This avc can be allowed using the boolean 'rsync_full_access' allow rsync_t var_lock_t:dir write; #============= swift_t ============== #!!!! This avc can be allowed using the boolean 'nis_enabled' allow swift_t self:tcp_socket { accept listen }; allow swift_t user_home_dir_t:dir search; allow swift_t var_t:dir { write remove_name add_name }; allow swift_t var_t:file { rename read lock create write getattr unlink open }; allow swift_t xserver_port_t:tcp_socket name_bind; Expected results: No easy to avoid SELinux AVC denials. Additional info: There's also a few more denials that are not (yet) covered by booleans, so reporting those seperately against selinux-policy-targeted.