RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1189931 - Nova AVC messages
Summary: Nova AVC messages
Keywords:
Status: CLOSED EOL
Alias: None
Product: RDO
Classification: Community
Component: openstack-nova
Version: Juno
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: Juno
Assignee: Eoghan Glynn
QA Contact: nlevinki
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-05 21:04 UTC by Lars Kellogg-Stedman
Modified: 2016-05-19 15:50 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-19 15:50:32 UTC
Embargoed:

Attachments (Terms of Use)

Description Lars Kellogg-Stedman 2015-02-05 21:04:25 UTC 
Installation of RDO Juno on Fedora 21, with:

- openstack-nova-api-2014.2.1-1.fc22.noarch
- selinux-policy-3.13.1-105.fc21.noarch

Results in the following from audit2allow:

#============= nova_api_t ==============
allow nova_api_t self:capability net_admin;
allow nova_api_t system_dbusd_t:dbus send_msg;
allow nova_api_t system_dbusd_t:unix_stream_socket connectto;
allow nova_api_t system_dbusd_var_run_t:dir search;
allow nova_api_t system_dbusd_var_run_t:sock_file write;
allow nova_api_t systemd_logind_t:dbus send_msg;

Corresponding to the following AVCs in the audit log:


type=AVC msg=audit(): avc:  denied  { connectto } for  pid=xxx comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(): avc:  denied  { net_admin } for  pid=xxx comm="sudo" capability=12  scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=capability permissive=0
type=AVC msg=audit(): avc:  denied  { net_admin } for  pid=xxx comm="sudo" capability=12  scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=capability permissive=1
type=AVC msg=audit(): avc:  denied  { search } for  pid=xxx comm="sudo" name="dbus" dev="tmpfs" ino=10410 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0
type=AVC msg=audit(): avc:  denied  { search } for  pid=xxx comm="sudo" name="dbus" dev="tmpfs" ino=10410 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(): avc:  denied  { search } for  pid=xxx comm="sudo" name="dbus" dev="tmpfs" ino=11674 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(): avc:  denied  { write } for  pid=xxx comm="sudo" name="system_bus_socket" dev="tmpfs" ino=10411 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(): avc:  denied  { write } for  pid=xxx comm="sudo" name="system_bus_socket" dev="tmpfs" ino=11675 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
type=USER_AVC msg=audit(): pid=xxx uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=2000 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(): pid=xxx uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=28727 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(): pid=xxx uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=2000 tpid=376 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(): pid=xxx uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=28727 tpid=313 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(): pid=xxx uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1913 spid=313 tpid=28727 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(): pid=xxx uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.40 spid=376 tpid=2000 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Comment 1 Chandan Kumar 2016-05-19 15:50:32 UTC 
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.
Note You need to log in before you can comment on or make changes to this bug.