Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1149975

Summary: openstack-nova-scheduler: SELinux is preventing /usr/bin/python2.7 from search access on the directory
Product: Red Hat OpenStack Reporter: Gilles Dubreuil <gdubreui>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED ERRATA QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: apevec, dnavale, lhh, mgrepl, nbarcet, rhallise, sclewis, yeylon
Target Milestone: z4Keywords: ZStream
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.5.21-1.el7ost Doc Type: Bug Fix
Doc Text:
Previously, SELinux prevented the nova scheduler from searching directories labeled 'cert_t', resulting in SELinux causing Compute to fail. With this update, an 'allow' rule has been created to give the nova scheduler permission to search the 'cert_t' directories. As a result, Compute service functions normally.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-16 14:37:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sealert
none
semodule none

Description Gilles Dubreuil 2014-10-07 05:39:46 UTC 
Created attachment 944445 [details]
sealert

Using:
selinux-policy-3.12.1-153.el7_0.11.noarch
selinux-policy-targeted-3.12.1-153.el7_0.11.noarch 
openstack-nova-scheduler-2014.1.2-1.el7ost.noarch
openstack-selinux-0.5.16-2.el7ost.noarch

nova-scheduler doesn't start because of SELinux missing AVC indicating:
"SELinux is preventing /usr/bin/python2.7 from search access on the directory"

Please see attached for "sealert -a /var/log/audit/audit.log" full log.
Comment 2 Gilles Dubreuil 2014-10-07 05:45:13 UTC 
Created attachment 944447 [details]
semodule

Workaround:

Using attached nova-scheduler-python-search policy files,
run
semodule -i nova-scheduler-python-search.pp
Comment 3 Ryan Hallisey 2014-10-07 12:51:05 UTC 
Looks good Gilles. I'll add to openstack-selinux.

allow nova_scheduler_t cert_t:dir search;
Comment 4 Miroslav Grepl 2014-10-13 12:07:28 UTC 
I added

diff --git a/nova.te b/nova.te
index 5747359..2d92a3d 100644
--- a/nova.te
+++ b/nova.te
@@ -292,6 +292,8 @@ auth_read_passwd(nova_scheduler_t)
 
 init_read_utmp(nova_scheduler_t)
 
+miscfiles_read_certs(nova_scheduler_t)
Comment 5 Alan Pevec 2014-11-28 23:12:25 UTC 
(In reply to Ryan Hallisey from comment #3)
> Looks good Gilles. I'll add to openstack-selinux.
> 
> allow nova_scheduler_t cert_t:dir search;

Which openstack-selinux version includes that?
Comment 6 Ryan Hallisey 2014-12-01 13:03:38 UTC 
It will be in openstack-selinux-0.5.21-1.el7ost when I build.
Need acks to build.
Comment 8 Ami Jeain 2015-04-05 12:11:48 UTC 
verified on the latest puddle using nova regression:
# rpm -qa |grep openstack-selinux
openstack-selinux-0.6.27-1.el7ost.noarch

# rpm -qa |grep sched
openstack-nova-scheduler-2014.2.2-19.el7ost.noarch
Comment 10 errata-xmlrpc 2015-04-16 14:37:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0825.html