I have a good feeling that almost all those are mislabeled files. # restorecon -Rv /var/log/calamari/calamari.log # restorecon -Rv /var/lib/graphite/whisper allow ldconfig_t proc_net_t:file read;
[root@localhost ~]# semanage fcontext -l | grep calam /etc/cron\.daily/calamaris regular file system_u:object_r:calamaris_exec_t:s0 /var/log/calamaris(/.*)? all files system_u:object_r:calamaris_log_t:s0 /var/www/calamaris(/.*)? all files system_u:object_r:calamaris_www_t:s0 I don't think restorecon will fix it.
type=AVC msg=audit(1409330049.520:333): avc: denied { open } for pid=2870 comm="httpd" path="/var/log/calamari/calamari.log" dev="dm-0" ino=1812779 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file It's presently var_log_t. I think that's correct.
BTW, The SELinux 'calamaris' module is for the squid proxy cache, not ceph. If the AVCs are actually for some instance of squid, then we're deploying it wrong.
#============= httpd_t ============== allow httpd_t httpd_log_t:file rename; allow httpd_t init_var_lib_t:dir { read getattr open }; allow httpd_t init_var_lib_t:file { read getattr open }; #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect' allow httpd_t mmcc_port_t:tcp_socket name_connect; #!!!! This avc can be allowed using one of the these booleans: # httpd_can_network_connect, httpd_can_network_connect_db allow httpd_t postgresql_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy allow httpd_t unreserved_port_t:tcp_socket name_connect; allow httpd_t var_log_t:file open; so a workaround is: # setsebool -P httpd_can_network_connect 1 # semanage fcontext /var/log/calamari.log http_log_t # restorecon /var/log/calamari.log The only remaining weird parts are the http_t dealing with init_var_lib_t.
Er: # semanage fcontext /var/log/calamari.log httpd_log_t ...
What is labeled as init_var_lib_t?
https://bugzilla.redhat.com/attachment.cgi?id=933573 ^ audit.log (from other bug against 7.0)
type=AVC msg=audit(1409330362.683:338): avc: denied { getattr } for pid=4020 comm="find" path="/var/lib/graphite/whisper/carbon" dev="dm-0" ino=10888735 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir ^^ That one.
$ rpm -qf /var/lib/graphite
Looks like there's this: https://github.com/graphite-project On Fedora, there's a python-carbon rpm. It has: /var/lib/carbon /var/log/carbon /var/run/carbon /etc/carbon /etc/carbon/carbon.conf /etc/carbon/storage-schemas.conf /etc/init.d/carbon-aggregator /etc/init.d/carbon-cache /etc/init.d/carbon-relay /etc/sysconfig/carbon /usr/bin/carbon-aggregator /usr/bin/carbon-cache /usr/bin/carbon-client /usr/bin/carbon-relay /usr/bin/validate-storage-schemas
(and site-packages)
Presumably, this python-carbon rpm is provided by the Ceph deployment tool; it's not part of RHEL or RHEL OSP. I really don't think the /var/lib/carbon thing is something we want to patch around in openstack-selinux. If we create a conflicting type to fix this in openstack-selinux, we will break upgrade.
So, calamari/carbon aren't necessarily needed initially, leaving: # httpd_t allow httpd_t httpd_log_t:file rename; And, in postinstall: # setsebool -P httpd_can_network_connect 1
I've asked Crag to attach up-to-the-minute audit.logs for us.
No avc denials were logged given a 3 mon / 1 storage node cluster created by https://github.com/cwolferh/moar-cowbell-scripts/blob/master/ceph/simple-cluster-with-predefined-ceph.bash . Note that my cluster does not use carbon on any of the nodes -- that is a calamari thing. I.e., my cluster is based off of ceph-deploy only and calamari is not installed.
Ok, if the deployment from Staypuft works, then there's nothing specific to do here for the openstack-selinux package.