Created attachment 925889 [details] audit.log Description of problem: When SELinux is in enforcing mode, nova-api fails on on certain tmpfs operations on /dev/shm type=AVC msg=audit(1404764447.847:287): avc: denied { search } for pid=3445 comm="nova-api" name="/" dev="tmpfs" ino=7206 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1404764803.222:887): avc: denied { write } for pid=4548 comm="nova-api" name="/" dev="tmpfs" ino=7206 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1404764956.108:1138): avc: denied { read write open } for pid=4980 comm="nova-api" path="/dev/shm/sem.evCqpX" dev="tmpfs" ino=79253 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1404765012.601:1239): avc: denied { link } for pid=5138 comm="nova-api" name="sem.V0iPmT" dev="tmpfs" ino=85190 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1404765012.601:1240): avc: denied { remove_name } for pid=5138 comm="nova-api" name="sem.V0iPmT" dev="tmpfs" ino=85190 scontext=sys type=AVC msg=audit(1404765106.415:1388): avc: denied { getattr } for pid=5354 comm="nova-api" path="/dev/shm/sem.S2pF2e" dev="tmpfs" ino=94592 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1404765106.415:1389): avc: denied { unlink } for pid=5354 comm="nova-api" name="sem.S2pF2e" dev="tmpfs" ino=94592 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-3.12.1-179.fc20.noarch selinux-policy-targeted-3.12.1-179.fc20.noarch upstream nova How reproducible: always Steps to Reproduce: 1. Deploy tripleo overcloud Actual results: nova-api fails to start Expected results: nova-api starts Additional info:
1ef02b3df5392fd9502d9479d79e6349f1fa9fb2 fixes this in git.
cce9b39b71202349c898ec0b4b24d54ef766daa7 Actually is a better fix.
commit 6b6791acb84b509d82bdf02893ced001746ab69d Author: Dan Walsh <dwalsh> Date: Tue Aug 12 08:11:05 2014 -0400 Lets label content created by nova domains as tmp_t content. https://github.com/selinux-policy/selinux-policy/commit/6b6791acb84b509d82bdf02893ced001746ab69d
selinux-policy-3.12.1-180.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-180.fc20
Package selinux-policy-3.12.1-180.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-180.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-9454/selinux-policy-3.12.1-180.fc20 then log in and leave karma (feedback).
With selinux-policy-3.12.1-180.fc20.noarch selinux-policy-targeted-3.12.1-180.fc20.noarch I am still seeing a similar set of errors with accessing tmpfs audit.log:type=AVC msg=audit(1408592858.319:51726): avc: denied { getattr } for pid=25352 comm="nova-api" name="/" dev="tmpfs" ino=7612 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem audit.log:type=AVC msg=audit(1408592858.323:51727): avc: denied { write } for pid=25352 comm="nova-api" name="/" dev="tmpfs" ino=7612 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir audit.log:type=AVC msg=audit(1408592858.323:51727): avc: denied { add_name } for pid=25352 comm="nova-api" name="sem.wUY5iY" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir audit.log:type=AVC msg=audit(1408592858.323:51727): avc: denied { create } for pid=25352 comm="nova-api" name="sem.wUY5iY" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file audit.log:type=AVC msg=audit(1408592858.323:51727): avc: denied { read write open } for pid=25352 comm="nova-api" path="/dev/shm/sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file audit.log:type=AVC msg=audit(1408592858.324:51728): avc: denied { link } for pid=25352 comm="nova-api" name="sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file audit.log:type=AVC msg=audit(1408592858.324:51729): avc: denied { getattr } for pid=25352 comm="nova-api" path="/dev/shm/sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file audit.log:type=AVC msg=audit(1408592858.324:51730): avc: denied { remove_name } for pid=25352 comm="nova-api" name="sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir audit.log:type=AVC msg=audit(1408592858.324:51730): avc: denied { unlink } for pid=25352 comm="nova-api" name="sem.wUY5iY" dev="tmpfs" ino=701151 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Created attachment 929011 [details] audit.log using selinux-policy-targeted-3.12.1-180.fc20.noarch
commit 9940830be7992b1c2560bd103951ad5d6ff52941 Author: Miroslav Grepl <mgrepl> Date: Thu Aug 21 09:08:41 2014 +0200 Call the proper interface fs_tmpfs_filetrans() in nova_domain_template(). diff --git a/nova.if b/nova.if index 2d705a8..ce897e2 100644 --- a/nova.if +++ b/nova.if @@ -49,7 +49,7 @@ template(`nova_domain_template',` manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) manage_lnk_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir }) - files_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir }) + fs_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
selinux-policy-3.12.1-180.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
With selinux-policy-3.12.1-181.fc20.noarch selinux-policy-targeted-3.12.1-181.fc20.noarch Seeing type=AVC msg=audit(1408661444.531:56625): avc: denied { getattr } for pid=30258 comm="nova-api" name="/" dev="tmpfs" ino=7612 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem [root@overcloud-controller0-lnix4hcttlx2 audit]# find / -inum 7612 /sys/devices/pci0000:00/0000:00:03.0/ata2/power/runtime_suspended_time /dev/shm /opt/stack/venvs/openstack/lib/python2.7/site-packages/keystoneclient/tests/v2_0/test_extensions.pyc Do I wait for -182? The version numbers in comments #3 and #5 are confusing. I'm guessing the majority of the problem got fixed in -181.
Fixed in -182.