Bug 1125458 - nova-api fails to start when SELinux is in enforcing mode
Summary: nova-api fails to start when SELinux is in enforcing mode
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-31 22:33 UTC by Richard Su
Modified: 2014-08-05 23:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-05 23:12:03 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
audit.log (1.54 MB, text/x-log)
2014-07-31 22:33 UTC, Richard Su 		no flags Details
View All

Description Richard Su 2014-07-31 22:33:42 UTC 
Created attachment 923043 [details]
audit.log

Description of problem:
Running from source, nova-api cannot start when SELinux is in enforcing mode. 

type=AVC msg=audit(1405722652.112:335): avc: denied { dac_override } for pid=3812 comm="nova-rootwrap" capability=1 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=capability
type=AVC msg=audit(1405722652.112:335): avc: denied { dac_read_search } for pid=3812 comm="nova-rootwrap" capability=2 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-179.fc20.noarch
selinux-policy-targeted-3.12.1-179.fc20.noarch

How reproducible:
always

Steps to Reproduce:
1. Deploy tripleo devtest.

Actual results:
nova-api does not start.

Expected results:
nova-api should start.

Additional info:
Comment 1 Richard Su 2014-08-05 23:12:03 UTC 
The fix was to set /etc/nova user.group permissions to root.nova.
Note You need to log in before you can comment on or make changes to this bug.