Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1149975 - openstack-nova-scheduler: SELinux is preventing /usr/bin/python2.7 from search access on the directory
openstack-nova-scheduler: SELinux is preventing /usr/bin/python2.7 from searc...
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
5.0 (RHEL 7)
Unspecified Unspecified
unspecified Severity unspecified
: z4
: 5.0 (RHEL 7)
Assigned To: Ryan Hallisey
Ami Jeain
: ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-07 01:39 EDT by Gilles Dubreuil
Modified: 2015-04-16 10:37 EDT (History)
9 users (show)

See Also:
Fixed In Version: openstack-selinux-0.5.21-1.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, SELinux prevented the nova scheduler from searching directories labeled 'cert_t', resulting in SELinux causing Compute to fail. With this update, an 'allow' rule has been created to give the nova scheduler permission to search the 'cert_t' directories. As a result, Compute service functions normally.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-16 10:37:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
sealert (2.37 KB, text/plain)
2014-10-07 01:39 EDT, Gilles Dubreuil 		no flags Details
semodule (429 bytes, application/octet-stream)
2014-10-07 01:45 EDT, Gilles Dubreuil 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0825 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Bug Fix and Enhancement Advisory 2015-04-16 14:28:14 EDT

  None (edit)
Description Gilles Dubreuil 2014-10-07 01:39:46 EDT 
Created attachment 944445 [details]
sealert

Using:
selinux-policy-3.12.1-153.el7_0.11.noarch
selinux-policy-targeted-3.12.1-153.el7_0.11.noarch 
openstack-nova-scheduler-2014.1.2-1.el7ost.noarch
openstack-selinux-0.5.16-2.el7ost.noarch

nova-scheduler doesn't start because of SELinux missing AVC indicating:
"SELinux is preventing /usr/bin/python2.7 from search access on the directory"

Please see attached for "sealert -a /var/log/audit/audit.log" full log.
Comment 2 Gilles Dubreuil 2014-10-07 01:45:13 EDT 
Created attachment 944447 [details]
semodule

Workaround:

Using attached nova-scheduler-python-search policy files,
run
semodule -i nova-scheduler-python-search.pp
Comment 3 Ryan Hallisey 2014-10-07 08:51:05 EDT 
Looks good Gilles. I'll add to openstack-selinux.

allow nova_scheduler_t cert_t:dir search;
Comment 4 Miroslav Grepl 2014-10-13 08:07:28 EDT 
I added

diff --git a/nova.te b/nova.te
index 5747359..2d92a3d 100644
--- a/nova.te
+++ b/nova.te
@@ -292,6 +292,8 @@ auth_read_passwd(nova_scheduler_t)
 
 init_read_utmp(nova_scheduler_t)
 
+miscfiles_read_certs(nova_scheduler_t)
Comment 5 Alan Pevec 2014-11-28 18:12:25 EST 
(In reply to Ryan Hallisey from comment #3)
> Looks good Gilles. I'll add to openstack-selinux.
> 
> allow nova_scheduler_t cert_t:dir search;

Which openstack-selinux version includes that?
Comment 6 Ryan Hallisey 2014-12-01 08:03:38 EST 
It will be in openstack-selinux-0.5.21-1.el7ost when I build.
Need acks to build.
Comment 8 Ami Jeain 2015-04-05 08:11:48 EDT 
verified on the latest puddle using nova regression:
# rpm -qa |grep openstack-selinux
openstack-selinux-0.6.27-1.el7ost.noarch

# rpm -qa |grep sched
openstack-nova-scheduler-2014.2.2-19.el7ost.noarch
Comment 10 errata-xmlrpc 2015-04-16 10:37:36 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0825.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.