Bug 1268124 - Nova rootwrap-daemon requires a selinux exception
Nova rootwrap-daemon requires a selinux exception
Status: CLOSED EOL
Product: RDO
Classification: Community
Component: openstack-selinux (Show other bugs)
trunk
Unspecified Unspecified
unspecified Severity high
: ---
: Kilo
Assigned To: Lon Hohberger
Ofer Blaut
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-01 17:20 EDT by David Moreau Simard
Modified: 2016-05-19 11:51 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-19 11:51:16 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Moreau Simard 2015-10-01 17:20:58 EDT
This commit introduces rootwrap-daemon to Nova:
https://github.com/openstack-packages/nova/commit/a23cc14307dcb32c2db8d2ec0f930b3eeb63be3e

With this commit in, openstack-nova-api will not start when selinux is enforcing:
http://paste.openstack.org/show/475122/

AVC is:
type=AVC msg=audit(1443733028.613:8322): avc:  denied  { create } for  pid=18870 comm="nova-rootwrap-d" name="rootwrap.sock" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:nova_api_tmp_t:s0 tclass=sock_file
Comment 1 Alan Pevec 2015-10-02 18:48:32 EDT
There are probably more AVCs to add, run permissive and collect them all.
Comment 2 Pádraig Brady 2015-10-29 11:01:59 EDT
This is the only rule needed it seems:
# grep nova-rootwrap-d /var/log/audit/audit.log | audit2allow
#============= nova_api_t ==============
allow nova_api_t nova_api_tmp_t:sock_file { create unlink getattr setattr write };

Adding that as follows allows nova-api to start and I've
confirmed that commands are now executed through the rootwrap daemon
# grep nova-rootwrap-d /var/log/audit/audit.log | audit2allow -M nova-rootwrap-d
# semodule -i nova-rootwrap-d.pp

p.s. I added the 'write' in manually to the above as that was reported as a subsequent denial only after the initial functions were allowed.
Comment 3 Chandan Kumar 2016-05-19 11:51:16 EDT
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.

Note You need to log in before you can comment on or make changes to this bug.