Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1157658

Summary: AVC denial for openstack-keystone running via httpd
Product: [Community] RDO Reporter: Martin Magr <mmagr>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED DUPLICATE QA Contact: Ofer Blaut <oblaut>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: nkinder, yeylon
Target Milestone: ---   
Target Release: Juno   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-27 14:15:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Magr 2014-10-27 12:42:12 UTC 
Description of problem:
On RHEL-7 when Keystone is set up to run via httpd following AVC denial occurs:

time->Mon Oct 27 13:26:21 2014 type=SYSCALL msg=audit(1414412781.639:14111): arch=c000003e syscall=2 success=yes exit=3 a0=7fff2afe7570 a1=0 a2=1b6 a3=7fff2afe6e50 items=0 ppid=24824 pid=29718 auid=4294967295 uid=163 gid=163 euid=163 suid=163 fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295 comm="openssl" exe="/usr/bin/openssl" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1414412781.639:14111): avc: denied { open } for pid=29718 comm="openssl" path="/var/lib/keystone/.rnd" dev="dm-0" ino=19433281 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:keystone_var_lib_t:s0 tclass=file type=AVC msg=audit(1414412781.639:14111): avc: denied { read } for pid=29718 comm="openssl" name=".rnd" dev="dm-0" ino=19433281 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:keystone_var_lib_t:s0 tclass=file

Version-Release number of selected component (if applicable):
openstack-selinux-0.5.19-2.el7ost.noarch
Comment 1 Nathan Kinder 2014-10-27 14:15:10 UTC 
Adding policy to allow Keystone to run in httpd va mod_wsgi is being handled in bug 1138424.

*** This bug has been marked as a duplicate of bug 1138424 ***