RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1203910 - Keystone requires keystone_t self:process signal;
Summary: Keystone requires keystone_t self:process signal;
Keywords:
Status: CLOSED EOL
Alias: None
Product: RDO
Classification: Community
Component: openstack-selinux
Version: Juno
Hardware: All
OS: All
unspecified
unspecified
Target Milestone: ---
: Kilo
Assignee: Lon Hohberger
QA Contact: Ofer Blaut
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-19 23:28 UTC by daniel
Modified: 2016-05-19 16:03 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-19 16:03:22 UTC
Embargoed:

Attachments (Terms of Use)

Description daniel 2015-03-19 23:28:28 UTC 
Description of problem:
OpenStack keystone needs the following policy:

#============= keystone_t ==============
allow keystone_t self:process signal;

or else will throw an Error on startup. Certain LDAP-related functionality does not work without that policy too.

Version-Release number of selected component (if applicable):
Name        : openstack-selinux
Version     : 0.5.19
Release     : 2.el7ost
From repo   : openstack-juno

Name        : openstack-keystone
Version     : 2014.2.2
Release     : 1.el7
From repo   : openstack-juno

How reproducible:
Start openstack-keystone

Actual results:
/var/log/keystone/keystone.log will contain:
2015-03-19 19:26:12.606 17546 CRITICAL keystone [-] OSError: [Errno 13] Permission denied
2015-03-19 19:26:12.606 17546 TRACE keystone Traceback (most recent call last):
2015-03-19 19:26:12.606 17546 TRACE keystone   File "/usr/bin/keystone-all", line 164, in <module>
2015-03-19 19:26:12.606 17546 TRACE keystone     serve(*servers)
2015-03-19 19:26:12.606 17546 TRACE keystone   File "/usr/bin/keystone-all", line 104, in serve
2015-03-19 19:26:12.606 17546 TRACE keystone     launcher.wait()
2015-03-19 19:26:12.606 17546 TRACE keystone   File "/usr/lib/python2.7/site-packages/keystone/openstack/common/service.py", line 410, in wait
2015-03-19 19:26:12.606 17546 TRACE keystone     self.stop()
2015-03-19 19:26:12.606 17546 TRACE keystone   File "/usr/lib/python2.7/site-packages/keystone/openstack/common/service.py", line 417, in stop
2015-03-19 19:26:12.606 17546 TRACE keystone     os.kill(pid, signal.SIGTERM)
2015-03-19 19:26:12.606 17546 TRACE keystone OSError: [Errno 13] Permission denied
2015-03-19 19:26:12.606 17546 TRACE keystone 

Expected results:
No such error should appear.

Additional info:

# audit2allow -a

#============= keystone_t ==============
allow keystone_t self:process signal;

#============= nova_api_t ==============
allow nova_api_t gconf_home_t:dir search;
Comment 1 Chandan Kumar 2016-05-19 16:03:22 UTC 
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.
Note You need to log in before you can comment on or make changes to this bug.