1144182 – Post installation, nova-api and glance-api cause AVC denied errors.

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1144182 - Post installation, nova-api and glance-api cause AVC denied errors.

Summary: Post installation, nova-api and glance-api cause AVC denied errors.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-selinux
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Lon Hohberger
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-18 22:33 UTC by Nir Magnezi
Modified:	2015-03-29 23:37 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-03-29 23:37:03 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nir Magnezi 2014-09-18 22:33:15 UTC

Description of problem:
=======================
Post installation, nova-api and glance-api cause AVC denied errors.

Version-Release number of selected component (if applicable):
=============================================================
RDO Juno:
openstack-packstack-2014.2-0.2.dev1266.g63d9c50.el7.centos.noarch
openstack-packstack-puppet-2014.2-0.2.dev1266.g63d9c50.el7.centos.noarch

How reproducible:
=================
Tested Once.

Steps to Reproduce:
===================
1. Use packstack to deploy openstack.

Actual results:
===============
# grep -i avc /var/log/audit/audit.log 
type=AVC msg=audit(1411075604.923:2950): avc:  denied  { create } for  pid=3249 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1411075604.923:2951): avc:  denied  { connect } for  pid=3249 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1411075783.447:4243): avc:  denied  { getattr } for  pid=5241 comm="nova-api" name="/" dev="tmpfs" ino=5734 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=AVC msg=audit(1411075783.447:4244): avc:  denied  { write } for  pid=5241 comm="nova-api" name="/" dev="tmpfs" ino=5734 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1411075783.447:4244): avc:  denied  { add_name } for  pid=5241 comm="nova-api" name="sem.NyhwlI" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1411075783.447:4244): avc:  denied  { create } for  pid=5241 comm="nova-api" name="sem.NyhwlI" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1411075783.447:4244): avc:  denied  { read write open } for  pid=5241 comm="nova-api" path="/dev/shm/sem.NyhwlI" dev="tmpfs" ino=148322 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1411075783.447:4245): avc:  denied  { link } for  pid=5241 comm="nova-api" name="sem.NyhwlI" dev="tmpfs" ino=148322 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1411075783.447:4246): avc:  denied  { getattr } for  pid=5241 comm="nova-api" path="/dev/shm/sem.NyhwlI" dev="tmpfs" ino=148322 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1411075783.447:4247): avc:  denied  { remove_name } for  pid=5241 comm="nova-api" name="sem.NyhwlI" dev="tmpfs" ino=148322 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1411075783.447:4247): avc:  denied  { unlink } for  pid=5241 comm="nova-api" name="sem.NyhwlI" dev="tmpfs" ino=148322 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=USER_AVC msg=audit(1411076217.919:5352): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=21)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1411076217.919:5353): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=22)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1411076676.254:128): avc:  denied  { create } for  pid=741 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1411076676.254:129): avc:  denied  { connect } for  pid=741 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1411076683.632:152): avc:  denied  { getattr } for  pid=726 comm="nova-api" name="/" dev="tmpfs" ino=5725 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=AVC msg=audit(1411076683.632:153): avc:  denied  { write } for  pid=726 comm="nova-api" name="/" dev="tmpfs" ino=5725 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1411076683.632:153): avc:  denied  { add_name } for  pid=726 comm="nova-api" name="sem.dKOGHg" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1411076683.632:153): avc:  denied  { create } for  pid=726 comm="nova-api" name="sem.dKOGHg" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1411076683.632:153): avc:  denied  { read write open } for  pid=726 comm="nova-api" path="/dev/shm/sem.dKOGHg" dev="tmpfs" ino=63723 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1411076683.633:154): avc:  denied  { link } for  pid=726 comm="nova-api" name="sem.dKOGHg" dev="tmpfs" ino=63723 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1411076683.633:155): avc:  denied  { getattr } for  pid=726 comm="nova-api" path="/dev/shm/sem.dKOGHg" dev="tmpfs" ino=63723 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1411076683.633:156): avc:  denied  { remove_name } for  pid=726 comm="nova-api" name="sem.dKOGHg" dev="tmpfs" ino=63723 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1411076683.633:156): avc:  denied  { unlink } for  pid=726 comm="nova-api" name="sem.dKOGHg" dev="tmpfs" ino=63723 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

Expected results:
=================
No AVCs shouls be expected.

Comment 1 Lars Kellogg-Stedman 2015-03-29 23:37:03 UTC

These particular errors appear to be fixed in our current packages.

After installing current (RDO Juno) packages, I do not se any SELinux AVC message from either nova-api or glance.  I've tried this on RHEL7, CentOS 7, and Fedora 21.

Note You need to log in before you can comment on or make changes to this bug.