1144139 – Juno: openstack selinux issues

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1144139 - Juno: openstack selinux issues

Summary: Juno: openstack selinux issues

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-selinux
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Milestone3
Target Release:	Juno
Assignee:	Lon Hohberger
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1139771 1148474 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-18 18:44 UTC by wes hayutin
Modified:	2014-10-28 11:20 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-10-28 11:20:04 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
install and run logs (552.23 KB, application/octet-stream) 2014-09-18 18:44 UTC, wes hayutin	no flags	Details
View All

Description wes hayutin 2014-09-18 18:44:36 UTC

Created attachment 939011 [details]
install and run logs

Description of problem:

Selinux issues found in a basic juno packstack install

"type=AVC msg=audit(1411064503.680:4943): avc:  denied  { create } for  pid=12850 comm=\"glance-api\" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=unix_dgram_socket", 

"type=AVC msg=audit(1411064503.680:4944): avc:  denied  { connect } for  pid=12850 comm=\"glance-api\" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=unix_dgram_socket", 

"type=AVC msg=audit(1411064527.439:5190): avc:  denied  { getattr } for  pid=13479 comm=\"nova-api\" name=\"/\" dev=\"tmpfs\" ino=6156 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem", 

"type=AVC msg=audit(1411064527.439:5191): avc:  denied  { write } for  pid=13479 comm=\"nova-api\" name=\"/\" dev=\"tmpfs\" ino=6156 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir", 

"type=AVC msg=audit(1411064527.439:5191): avc:  denied  { add_name } for  pid=13479 comm=\"nova-api\" name=\"sem.s8Uhnq\" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir", 

"type=AVC msg=audit(1411064527.439:5191): avc:  denied  { create } for  pid=13479 comm=\"nova-api\" name=\"sem.s8Uhnq\" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file", 

"type=AVC msg=audit(1411064527.439:5191): avc:  denied  { read write open } for  pid=13479 comm=\"nova-api\" path=\"/dev/shm/sem.s8Uhnq\" dev=\"tmpfs\" ino=93547 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file", 

"type=AVC msg=audit(1411064527.439:5192): avc:  denied  { link } for  pid=13479 comm=\"nova-api\" name=\"sem.s8Uhnq\" dev=\"tmpfs\" ino=93547 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file", 

"type=AVC msg=audit(1411064527.439:5193): avc:  denied  { getattr } for  pid=13479 comm=\"nova-api\" path=\"/dev/shm/sem.s8Uhnq\" dev=\"tmpfs\" ino=93547 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file", 

"type=AVC msg=audit(1411064527.439:5194): avc:  denied  { remove_name } for  pid=13479 comm=\"nova-api\" name=\"sem.s8Uhnq\" dev=\"tmpfs\" ino=93547 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir", 

"type=AVC msg=audit(1411064527.439:5194): avc:  denied  { unlink } for  pid=13479 comm=\"nova-api\" name=\"sem.s8Uhnq\" dev=\"tmpfs\" ino=93547 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file"

Comment 1 wes hayutin 2014-10-02 14:54:28 UTC

*** Bug 1148474 has been marked as a duplicate of this bug. ***

Comment 2 wes hayutin 2014-10-02 14:54:59 UTC

*** Bug 1139771 has been marked as a duplicate of this bug. ***

Comment 3 Alan Pevec 2014-10-28 11:20:04 UTC

openstack-selinux in RDO EL7 was updated to openstack-selinux-0.5.19-2
and RDO Fedora includes patched selinux-policy-3.13.1-91rdo
* Fri Oct 24 2014 Lon Hohberger <lhh> 3.13.1-91rdo.1
- Import fixes from openstack-selinux

Note You need to log in before you can comment on or make changes to this bug.