Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1098234

Summary: provide selinux policy for --allinone
Product: Red Hat OpenStack Reporter: Dave Allan <dallan>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED ERRATA QA Contact: Ami Jeain <ajeain>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: acathrow, lbezdick, lhh, mgrepl, oblaut, ohochman, rhallise, ssekidde, yeylon
Target Milestone: rc   
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-08 15:13:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit log with AVCs from an initial install and boot of an instance none

Description Dave Allan 2014-05-15 14:23:57 UTC 
Running packstack --allinone on RHEL7 generates AVCs.  This BZ tracks the generation of policy to permit RHOS 5 to run with selinux enabled.  I'll attach the audit log of my system running in permissive mode.
Comment 2 Dave Allan 2014-05-15 14:27:34 UTC 
Created attachment 895959 [details]
audit log with AVCs from an initial install and boot of an instance
Comment 3 Ryan Hallisey 2014-05-16 13:40:49 UTC 
#============= neutron_t ==============
allow neutron_t netutils_exec_t:file { read execute open execute_no_trans };
allow neutron_t self:capability dac_override;
allow neutron_t self:packet_socket { bind create getattr };
allow neutron_t self:process setcap;
allow neutron_t sysctl_net_t:dir search;
allow neutron_t sysctl_net_t:file { write getattr open };
allow neutron_t var_run_t:file { read create open };

#============= swift_t ==============
allow swift_t file_t:dir { read getattr open };

enable bool: nis_enabled

These are the fixes from Dave's log.  What else did you run into?
Comment 4 Dave Allan 2014-05-16 13:55:06 UTC 
(In reply to Ryan Hallisey from comment #3)
> These are the fixes from Dave's log.  What else did you run into?

That log has everything so far.  If you get me a test package, I'll retry.
Comment 5 Miroslav Grepl 2014-05-16 15:02:31 UTC 
We are working with lbezdick on fixes. Basically most of these AVCs have been already fixed.
Comment 10 Lukas Bezdicka 2014-05-23 15:45:00 UTC 
Thanks new builds only throw:
allow swift_t xserver_port_t:tcp_socket name_bind;
Comment 13 Ryan Hallisey 2014-06-05 21:20:27 UTC 
#============= swift_t ==============
allow swift_t tmpfs_t:file { write getattr link read create unlink open };
allow swift_t xserver_port_t:tcp_socket name_bind;
allow swift_t httpd_config_t:dir search;
allow swift_t keystone_port_t:tcp_socket name_connect;
allow swift_t memcache_port_t:tcp_socket name_connect;

#============= neutron_t ==============
allow neutron_t var_run_t:file { read create open };
allow neutron_t tmp_t:dir create;

#============= nagios_t ==============
allow nagios_t ping_exec_t:file { read execute open execute_no_trans };
allow nagios_t self:capability net_raw;
allow nagios_t self:process setcap;
allow nagios_t self:rawip_socket { getopt create setopt };

sekidde is going to post a package with fixes.  
sekidde and I were concerned over the two neutron allow rules.
Mgrepl if you think they are ok can you put this into selinux-policy if there is still time for RHEL 6.6 & 7.
Comment 16 Ryan Hallisey 2014-06-06 16:31:02 UTC 
Test with the newest policy and post back with any new avcs
Comment 17 Ofer Blaut 2014-06-08 05:45:23 UTC 
No issue is seen with 

[root@puma04 ~(keystone_admin_tenant1)]$grep avc /var/log/messages 
Jun  8 08:02:08 puma04 dbus-daemon: dbus[804]: avc:  received policyload notice (seqno=2)
Jun  8 08:02:08 puma04 dbus[804]: avc:  received policyload notice (seqno=2)
Jun  8 08:02:14 puma04 kernel: type=1107 audit(1402203734.891:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)
Jun  8 08:25:11 puma04 dbus-daemon: dbus[804]: avc:  received policyload notice (seqno=3)
Jun  8 08:25:11 puma04 dbus[804]: avc:  received policyload notice (seqno=3)
Jun  8 08:25:13 puma04 dbus-daemon: dbus[804]: avc:  received policyload notice (seqno=4)
Jun  8 08:25:13 puma04 dbus[804]: avc:  received policyload notice (seqno=4)
[root@puma04 ~(keystone_admin_tenant1)]$grep avc /var/log/messages ^C
[root@puma04 ~(keystone_admin_tenant1)]$rpm -qa | grep selinux
libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-ruby-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-3.12.1-153.el7_0.10.noarch
Comment 20 errata-xmlrpc 2014-07-08 15:13:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0845.html