Bug 1170223 - Need selinux policy for OpenStack Keystone running in Apache with mod_wsgi
Summary: Need selinux policy for OpenStack Keystone running in Apache with mod_wsgi
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1111274 1122764 1122767 1138424 1170218 1180230
Blocks: 1123117 1126594 1154615 1170224 1170225 1170370 1170372
TreeView+ depends on / blocked
 
Reported: 2014-12-03 14:15 UTC by Rich Megginson
Modified: 2016-04-26 17:40 UTC (History)
16 users (show)

Fixed In Version: selinux-policy-3.13.1-105.19.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of: 1170218
: 1170224 (view as bug list)
Environment:
Last Closed: 2015-07-14 15:50:19 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
audit.log httpd related messages (6.01 KB, text/plain)
2015-04-07 14:27 UTC, Rich Megginson 		no flags Details
audit2allow -a -w output (10.36 KB, text/plain)
2015-04-07 14:28 UTC, Rich Megginson 		no flags Details
audit2allow -a -R output (387 bytes, text/plain)
2015-04-07 14:28 UTC, Rich Megginson 		no flags Details
View All

Comment 1 Rich Megginson 2015-04-07 14:26:45 UTC 
I am reopening this bug.  There are still httpd related AVCs with Keystone on F21.
Comment 2 Rich Megginson 2015-04-07 14:27:29 UTC 
Created attachment 1011795 [details]
audit.log httpd related messages
Comment 3 Rich Megginson 2015-04-07 14:28:03 UTC 
Created attachment 1011796 [details]
audit2allow -a -w output
Comment 4 Rich Megginson 2015-04-07 14:28:30 UTC 
Created attachment 1011797 [details]
audit2allow -a -R output
Comment 5 Rich Megginson 2015-04-07 14:29:14 UTC 
We need this fixed ASAP as it is causing a lot of problems for people trying to deploy OpenStack on F21.
Comment 6 Lukas Vrabec 2015-04-08 15:39:17 UTC 
Hi, 
Do you have some reproducer?
Comment 7 Rich Megginson 2015-04-08 15:47:56 UTC 
https://www.rdoproject.org/Quickstart

Use the Kilo repo for f21:
https://repos.fedorapeople.org/repos/openstack/openstack-kilo/rdo-release-kilo-0.noarch.rpm
Comment 8 Rich Megginson 2015-04-23 14:18:53 UTC 
Failed again: https://bugzilla.redhat.com/show_bug.cgi?id=1207098#c20
Comment 9 Miroslav Grepl 2015-05-12 08:24:17 UTC 
commit f6fdaaaba8065f3f727f1360bd505cd78b154c21
Author: Miroslav Grepl <mgrepl>
Date:   Tue May 12 10:21:03 2015 +0200

    Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098)

commit d7d35ca3d310bb042e7d51565edb1d1b9e162436
Author: Miroslav Grepl <mgrepl>
Date:   Tue May 12 10:14:26 2015 +0200

    Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
Comment 10 Fedora Update System 2015-06-24 12:28:52 UTC 
selinux-policy-3.13.1-105.18.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.18.fc21
Comment 11 Fedora Update System 2015-06-25 08:22:31 UTC 
Package selinux-policy-3.13.1-105.18.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.18.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10708/selinux-policy-3.13.1-105.18.fc21
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2015-06-30 07:31:20 UTC 
selinux-policy-3.13.1-105.19.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.19.fc21
Comment 13 Fedora Update System 2015-07-14 15:50:19 UTC 
selinux-policy-3.13.1-105.19.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.