Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1104609

Summary: SELinux denies access to /var/log/horizon/horizon.log
Product: Red Hat OpenStack Reporter: Matthias Runge <mrunge>
Component: openstack-selinuxAssignee: RHOS Maint <rhos-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: dominick.grift, dwalsh, itamar, Jan.van.Eldik, jose.castro.leon, jpichon, lhh, lvrabec, mgrepl, mrunge, nsantos, yeylon
Target Milestone: ---   
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1089371 Environment:
Last Closed: 2014-06-06 06:52:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1089371    
Bug Blocks:    

Description Matthias Runge 2014-06-04 10:49:59 UTC 
+++ This bug was initially created as a clone of Bug #1089371 +++

[Fri Apr 18 14:47:32.267046 2014] [:error] [pid 1470] [remote ::1:11094] ValueError: Unable to configure handler 'file': [Errno 13] Permission denied: '/var/log/horizon/horizon.log'
^C
[root@sofja ~]# ls -lZ /var/log/httpd/access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/access_log
[root@sofja ~]# ls -lZ /var/log/horizon/horizon.log 
-rw-r--r--. apache apache system_u:object_r:var_log_t:s0   /var/log/horizon/horizon.log

--- Additional comment from Miroslav Grepl on 2014-05-21 05:44:52 EDT ---

How is /var/log/horizon/horizon.log created?

# rpm -qf /var/log/horizon

If you execute

# chcon -R -t httpd_log_t /var/log/horizon

does it fix the issue?

--- Additional comment from Matthias Runge on 2014-05-22 03:03:13 EDT ---

It's created by httpd due configuration of openstack-dashboard.

[root@turing ~]# rpm -qf /var/log/horizon/
openstack-dashboard-2014.1-1.fc21.noarch

After chcon, it looks like the issue is fixed.

--- Additional comment from Daniel Walsh on 2014-05-25 06:39:45 EDT ---

8414e1aef6778718c4b4101e033abe5006ee65d5 fixes this in git.

--- Additional comment from Matthias Runge on 2014-06-02 10:20:00 EDT ---

Thank you for fixing and building the package. Is it possible, to get this backported to f20 as well, as we have folks running OpenStack packages from Rawhide on F20 (via RDO repository, that's a pretty common pattern)
Comment 2 Miroslav Grepl 2014-06-05 15:11:08 UTC 
Should be fixed with the latest selinux-policy from rhel-7.0.z.


https://brewweb.devel.redhat.com/buildinfo?buildID=360868
Comment 3 Matthias Runge 2014-06-06 06:52:22 UTC 
yes, I can confirm, this is fixed esp. in the puddle from June 4th 2014. Thanks