Description of problem: Service openstack-nova-api is unable to start due to following AVC: ---- time->Wed Oct 1 06:03:52 2014 type=PROCTITLE msg=audit(1412157832.876:6839): proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F6E6F76612D617069 type=SYSCALL msg=audit(1412157832.876:6839): arch=c000003e syscall=137 success=no exit=-13 a0=7f9824cb58f6 a1=7fff06901d50 a2=1 a3=7fff06901ad0 items=0 ppid=1 pid=10879 auid=4294967295 uid=162 gid=162 euid=162 suid=162 fsuid=162 egid=162 sgid=162 fsgid=162 tty=(none) ses=4294967295 comm="nova-api" exe="/usr/bin/python2.7" subj=system_u:system_r:nova_api_t:s0 key=(null) type=AVC msg=audit(1412157832.876:6839): avc: denied { getattr } for pid=10879 comm="nova-api" name="/" dev="tmpfs" ino=8099 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 Version-Release number of selected component (if applicable): selinux-policy-3.12.1-183.fc20.noarch selinux-policy-targeted-3.12.1-183.fc20.noarch Actual results: When enforcing openstack-nova-api fails with following traceback: 2014-10-01 06:03:52.888 10879 CRITICAL nova [-] OSError: [Errno 38] Function not implemented 2014-10-01 06:03:52.888 10879 TRACE nova Traceback (most recent call last): 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/bin/nova-api", line 10, in <module> 2014-10-01 06:03:52.888 10879 TRACE nova sys.exit(main()) 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib/python2.7/site-packages/nova/cmd/api.py", line 55, in main 2014-10-01 06:03:52.888 10879 TRACE nova server = service.WSGIService(api, use_ssl=should_use_ssl) 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib/python2.7/site-packages/nova/service.py", line 331, in __init__ 2014-10-01 06:03:52.888 10879 TRACE nova self.manager = self._get_manager() 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib/python2.7/site-packages/nova/service.py", line 383, in _get_manager 2014-10-01 06:03:52.888 10879 TRACE nova return manager_class() 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib/python2.7/site-packages/nova/api/manager.py", line 30, in __init__ 2014-10-01 06:03:52.888 10879 TRACE nova self.network_driver.metadata_accept() 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 666, in metadata_accept 2014-10-01 06:03:52.888 10879 TRACE nova iptables_manager.apply() 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 434, in apply 2014-10-01 06:03:52.888 10879 TRACE nova self._apply() 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py", line 322, in inner 2014-10-01 06:03:52.888 10879 TRACE nova with lock(name, lock_file_prefix, external, lock_path): 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib64/python2.7/contextlib.py", line 17, in __enter__ 2014-10-01 06:03:52.888 10879 TRACE nova return self.gen.next() 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py", line 287, in lock 2014-10-01 06:03:52.888 10879 TRACE nova with ext_lock: 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py", line 171, in __enter__ 2014-10-01 06:03:52.888 10879 TRACE nova self.acquire() 2014-10-01 06:03:52.888 10879 TRACE nova File "/usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py", line 166, in acquire 2014-10-01 06:03:52.888 10879 TRACE nova initial_value=1) 2014-10-01 06:03:52.888 10879 TRACE nova OSError: [Errno 38] Function not implemented 2014-10-01 06:03:52.888 10879 TRACE nova Expected results: When enforcing openstack-nova-api will start without problem.
commit 37b96a57eadad26f1513b7a40313060e0db10116 Author: Miroslav Grepl <mgrepl> Date: Thu Oct 2 11:01:34 2014 +0200 Allow nova domains to getattr on all filesystems.
selinux-policy-3.12.1-189.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-189.fc20
Package selinux-policy-3.12.1-189.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-189.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-12350/selinux-policy-3.12.1-189.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-189.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.