Bug 1148376 - AVC denial for openstack-nova-api
Summary: AVC denial for openstack-nova-api
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1148474
TreeView+ depends on / blocked
 
Reported: 2014-10-01 10:18 UTC by Martin Magr
Modified: 2014-10-16 02:01 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.12.1-189.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1148474 (view as bug list)
Environment:
Last Closed: 2014-10-16 02:01:02 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Martin Magr 2014-10-01 10:18:58 UTC 
Description of problem:

Service openstack-nova-api is unable to start due to following AVC:
----
time->Wed Oct  1 06:03:52 2014
type=PROCTITLE msg=audit(1412157832.876:6839): proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F6E6F76612D617069
type=SYSCALL msg=audit(1412157832.876:6839): arch=c000003e syscall=137 success=no exit=-13 a0=7f9824cb58f6 a1=7fff06901d50 a2=1 a3=7fff06901ad0 items=0 ppid=1 pid=10879 auid=4294967295 uid=162 gid=162 euid=162 suid=162 fsuid=162 egid=162 sgid=162 fsgid=162 tty=(none) ses=4294967295 comm="nova-api" exe="/usr/bin/python2.7" subj=system_u:system_r:nova_api_t:s0 key=(null)
type=AVC msg=audit(1412157832.876:6839): avc:  denied  { getattr } for  pid=10879 comm="nova-api" name="/" dev="tmpfs" ino=8099 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-183.fc20.noarch
selinux-policy-targeted-3.12.1-183.fc20.noarch

Actual results:
When enforcing openstack-nova-api fails with following traceback:
2014-10-01 06:03:52.888 10879 CRITICAL nova [-] OSError: [Errno 38] Function not implemented
2014-10-01 06:03:52.888 10879 TRACE nova Traceback (most recent call last):
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/bin/nova-api", line 10, in <module>
2014-10-01 06:03:52.888 10879 TRACE nova     sys.exit(main())
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib/python2.7/site-packages/nova/cmd/api.py", line 55, in main
2014-10-01 06:03:52.888 10879 TRACE nova     server = service.WSGIService(api, use_ssl=should_use_ssl)
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib/python2.7/site-packages/nova/service.py", line 331, in __init__
2014-10-01 06:03:52.888 10879 TRACE nova     self.manager = self._get_manager()
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib/python2.7/site-packages/nova/service.py", line 383, in _get_manager
2014-10-01 06:03:52.888 10879 TRACE nova     return manager_class()
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib/python2.7/site-packages/nova/api/manager.py", line 30, in __init__
2014-10-01 06:03:52.888 10879 TRACE nova     self.network_driver.metadata_accept()
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 666, in metadata_accept
2014-10-01 06:03:52.888 10879 TRACE nova     iptables_manager.apply()
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 434, in apply
2014-10-01 06:03:52.888 10879 TRACE nova     self._apply()
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py", line 322, in inner
2014-10-01 06:03:52.888 10879 TRACE nova     with lock(name, lock_file_prefix, external, lock_path):
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib64/python2.7/contextlib.py", line 17, in __enter__
2014-10-01 06:03:52.888 10879 TRACE nova     return self.gen.next()
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py", line 287, in lock
2014-10-01 06:03:52.888 10879 TRACE nova     with ext_lock:
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py", line 171, in __enter__
2014-10-01 06:03:52.888 10879 TRACE nova     self.acquire()
2014-10-01 06:03:52.888 10879 TRACE nova   File "/usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py", line 166, in acquire
2014-10-01 06:03:52.888 10879 TRACE nova     initial_value=1)
2014-10-01 06:03:52.888 10879 TRACE nova OSError: [Errno 38] Function not implemented
2014-10-01 06:03:52.888 10879 TRACE nova

Expected results:
When enforcing openstack-nova-api will start without problem.
Comment 1 Miroslav Grepl 2014-10-02 09:54:11 UTC 
commit 37b96a57eadad26f1513b7a40313060e0db10116
Author: Miroslav Grepl <mgrepl>
Date:   Thu Oct 2 11:01:34 2014 +0200

    Allow nova domains to getattr on all filesystems.
Comment 2 Fedora Update System 2014-10-07 13:36:35 UTC 
selinux-policy-3.12.1-189.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-189.fc20
Comment 3 Fedora Update System 2014-10-08 19:02:31 UTC 
Package selinux-policy-3.12.1-189.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-189.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-12350/selinux-policy-3.12.1-189.fc20
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2014-10-16 02:01:02 UTC 
selinux-policy-3.12.1-189.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.