Created attachment 944445 [details] sealert Using: selinux-policy-3.12.1-153.el7_0.11.noarch selinux-policy-targeted-3.12.1-153.el7_0.11.noarch openstack-nova-scheduler-2014.1.2-1.el7ost.noarch openstack-selinux-0.5.16-2.el7ost.noarch nova-scheduler doesn't start because of SELinux missing AVC indicating: "SELinux is preventing /usr/bin/python2.7 from search access on the directory" Please see attached for "sealert -a /var/log/audit/audit.log" full log.
Created attachment 944447 [details] semodule Workaround: Using attached nova-scheduler-python-search policy files, run semodule -i nova-scheduler-python-search.pp
Looks good Gilles. I'll add to openstack-selinux. allow nova_scheduler_t cert_t:dir search;
I added diff --git a/nova.te b/nova.te index 5747359..2d92a3d 100644 --- a/nova.te +++ b/nova.te @@ -292,6 +292,8 @@ auth_read_passwd(nova_scheduler_t) init_read_utmp(nova_scheduler_t) +miscfiles_read_certs(nova_scheduler_t)
(In reply to Ryan Hallisey from comment #3) > Looks good Gilles. I'll add to openstack-selinux. > > allow nova_scheduler_t cert_t:dir search; Which openstack-selinux version includes that?
It will be in openstack-selinux-0.5.21-1.el7ost when I build. Need acks to build.
verified on the latest puddle using nova regression: # rpm -qa |grep openstack-selinux openstack-selinux-0.6.27-1.el7ost.noarch # rpm -qa |grep sched openstack-nova-scheduler-2014.2.2-19.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0825.html