RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1268124 - Nova rootwrap-daemon requires a selinux exception
Summary: Nova rootwrap-daemon requires a selinux exception
Keywords:
Status: CLOSED EOL
Alias: None
Product: RDO
Classification: Community
Component: openstack-selinux
Version: trunk
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: Kilo
Assignee: Lon Hohberger
QA Contact: Ofer Blaut
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-01 21:20 UTC by David Moreau Simard
Modified: 2016-05-19 15:51 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-05-19 15:51:16 UTC
Embargoed:


Attachments (Terms of Use)

Description David Moreau Simard 2015-10-01 21:20:58 UTC
This commit introduces rootwrap-daemon to Nova:
https://github.com/openstack-packages/nova/commit/a23cc14307dcb32c2db8d2ec0f930b3eeb63be3e

With this commit in, openstack-nova-api will not start when selinux is enforcing:
http://paste.openstack.org/show/475122/

AVC is:
type=AVC msg=audit(1443733028.613:8322): avc:  denied  { create } for  pid=18870 comm="nova-rootwrap-d" name="rootwrap.sock" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:nova_api_tmp_t:s0 tclass=sock_file

Comment 1 Alan Pevec 2015-10-02 22:48:32 UTC
There are probably more AVCs to add, run permissive and collect them all.

Comment 2 Pádraig Brady 2015-10-29 15:01:59 UTC
This is the only rule needed it seems:
# grep nova-rootwrap-d /var/log/audit/audit.log | audit2allow
#============= nova_api_t ==============
allow nova_api_t nova_api_tmp_t:sock_file { create unlink getattr setattr write };

Adding that as follows allows nova-api to start and I've
confirmed that commands are now executed through the rootwrap daemon
# grep nova-rootwrap-d /var/log/audit/audit.log | audit2allow -M nova-rootwrap-d
# semodule -i nova-rootwrap-d.pp

p.s. I added the 'write' in manually to the above as that was reported as a subsequent denial only after the initial functions were allowed.

Comment 3 Chandan Kumar 2016-05-19 15:51:16 UTC
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.


Note You need to log in before you can comment on or make changes to this bug.