1149975 – openstack-nova-scheduler: SELinux is preventing /usr/bin/python2.7 from search access on the directory

Bug 1149975 - openstack-nova-scheduler: SELinux is preventing /usr/bin/python2.7 from search access on the directory

Summary: openstack-nova-scheduler: SELinux is preventing /usr/bin/python2.7 from searc...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	5.0 (RHEL 7)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	z4
Target Release:	5.0 (RHEL 7)
Assignee:	Ryan Hallisey
QA Contact:	Ami Jeain
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-07 05:39 UTC by Gilles Dubreuil
Modified:	2023-02-22 23:02 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-selinux-0.5.21-1.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, SELinux prevented the nova scheduler from searching directories labeled 'cert_t', resulting in SELinux causing Compute to fail. With this update, an 'allow' rule has been created to give the nova scheduler permission to search the 'cert_t' directories. As a result, Compute service functions normally.
Clone Of:
Environment:
Last Closed:	2015-04-16 14:37:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sealert (2.37 KB, text/plain) 2014-10-07 05:39 UTC, Gilles Dubreuil	no flags	Details
semodule (429 bytes, application/octet-stream) 2014-10-07 05:45 UTC, Gilles Dubreuil	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0825	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Bug Fix and Enhancement Advisory	2015-04-16 18:28:14 UTC

Description Gilles Dubreuil 2014-10-07 05:39:46 UTC

Created attachment 944445 [details]
sealert

Using:
selinux-policy-3.12.1-153.el7_0.11.noarch
selinux-policy-targeted-3.12.1-153.el7_0.11.noarch 
openstack-nova-scheduler-2014.1.2-1.el7ost.noarch
openstack-selinux-0.5.16-2.el7ost.noarch

nova-scheduler doesn't start because of SELinux missing AVC indicating:
"SELinux is preventing /usr/bin/python2.7 from search access on the directory"

Please see attached for "sealert -a /var/log/audit/audit.log" full log.

Comment 2 Gilles Dubreuil 2014-10-07 05:45:13 UTC

Created attachment 944447 [details]
semodule

Workaround:

Using attached nova-scheduler-python-search policy files,
run
semodule -i nova-scheduler-python-search.pp

Comment 3 Ryan Hallisey 2014-10-07 12:51:05 UTC

Looks good Gilles. I'll add to openstack-selinux.

allow nova_scheduler_t cert_t:dir search;

Comment 4 Miroslav Grepl 2014-10-13 12:07:28 UTC

I added

diff --git a/nova.te b/nova.te
index 5747359..2d92a3d 100644
--- a/nova.te
+++ b/nova.te
@@ -292,6 +292,8 @@ auth_read_passwd(nova_scheduler_t)
 
 init_read_utmp(nova_scheduler_t)
 
+miscfiles_read_certs(nova_scheduler_t)

Comment 5 Alan Pevec 2014-11-28 23:12:25 UTC

(In reply to Ryan Hallisey from comment #3)
> Looks good Gilles. I'll add to openstack-selinux.
> 
> allow nova_scheduler_t cert_t:dir search;

Which openstack-selinux version includes that?

Comment 6 Ryan Hallisey 2014-12-01 13:03:38 UTC

It will be in openstack-selinux-0.5.21-1.el7ost when I build.
Need acks to build.

Comment 8 Ami Jeain 2015-04-05 12:11:48 UTC

verified on the latest puddle using nova regression:
# rpm -qa |grep openstack-selinux
openstack-selinux-0.6.27-1.el7ost.noarch

# rpm -qa |grep sched
openstack-nova-scheduler-2014.2.2-19.el7ost.noarch

Comment 10 errata-xmlrpc 2015-04-16 14:37:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0825.html

Note You need to log in before you can comment on or make changes to this bug.