1134617 – nova-api service denied tmpfs access

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1134617 - nova-api service denied tmpfs access

Summary: nova-api service denied tmpfs access

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-selinux
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Ryan Hallisey
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-28 00:23 UTC by Alan Pevec
Modified:	2016-03-30 23:09 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.12.1-183.fc20.noarch
Clone Of:
Environment:
Last Closed:	2016-03-30 23:09:11 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alan Pevec 2014-08-28 00:23:33 UTC

Description of problem:
RDO Juno Nova fails to start, error reported in nova-api.log is
OSError: [Errno 38] Function not implemented
in openstack/common/lockutils.py

audit.log shows:
avc:  denied  { getattr } for  pid=25567 comm="nova-api" name="/" dev="tmpfs" ino=7282 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem

openstack-selinux from RDO Icehouse does not help

Version-Release number of selected component (if applicable):
openstack-nova-api-2014.2-0.1.b2.el7.centos.noarch
openstack-selinux-0.5.4-1.el7ost.noarch

Comment 1 Ryan Hallisey 2014-10-08 12:24:54 UTC

I think this has been fixed in selinux-policy
selinux-policy-3.12.1-183.fc20.noarch

#!!!! This avc is allowed in the current policy
allow nova_api_t tmpfs_t:filesystem getattr;

Note You need to log in before you can comment on or make changes to this bug.