Description of problem: ======================= Tested with RHEL7. Used packstack to deploy RDO. Since I run with Permissive mode, I cant tell what functionality breaks. Version-Release number of selected component (if applicable): ============================================================= RDO-Juno: openstack-selinux-0.5.19-2.el7ost.noarch How reproducible: ================= 1/1 Steps to Reproduce: =================== 1. Use packstack to deploy RDO (Used RHEL7) 2. Check /var/log/audit/audit.log Actual results: =============== type=AVC msg=audit(1414504423.908:14689): avc: denied { signal } for pid=55983 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process Expected results: ================= no such avc should be expected. Additional info: ================ SELinux is preventing /usr/bin/python2.7 from using the signal access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed signal access on processes labeled keystone_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep keystone-all /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:keystone_t:s0 Target Context system_u:system_r:keystone_t:s0 Target Objects [ process ] Source keystone-all Source Path /usr/bin/python2.7 Port <Unknown> Host <Unknown> Source RPM Packages python-2.7.5-16.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.el7_0.11.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name nmagnezi-os-cont1 Platform Linux nmagnezi-os-cont1 3.10.0-123.8.1.el7.x86_64 #1 SMP Mon Aug 11 13:37:49 EDT 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-10-28 15:53:43 IST Last Seen 2014-10-28 15:53:43 IST Local ID 9a8a8cc1-0e37-48d7-bc99-90e7311aac92 Raw Audit Messages type=AVC msg=audit(1414504423.908:14689): avc: denied { signal } for pid=55983 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process type=SYSCALL msg=audit(1414504423.908:14689): arch=x86_64 syscall=kill success=yes exit=0 a0=dac8 a1=f a2=0 a3=7fffcfd28a20 items=0 ppid=1 pid=55983 auid=4294967295 uid=163 gid=163 euid=163 suid=163 fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295 comm=keystone-all exe=/usr/bin/python2.7 subj=system_u:system_r:keystone_t:s0 key=(null) Hash: keystone-all,keystone_t,keystone_t,process,signal
Upon running this scenario, the only AVC that exists is here: [root@lynx01 ~]# grep AVC /var/log/audit/audit.log type=USER_AVC msg=audit(1414649381.064:23845): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=31) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1414649384.338:23884): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=32) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' [root@lynx01 ~]# ...no 'avc denied' exists.
I just reproduced it again with openstack-selinux-0.5.19-2.el7ost.noarch
This bug is against a Version which has reached End of Life. If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.