found 2 alerts in /var/log/audit/audit.log http://logs.openstack.org/66/316266/1/check/gate-puppet-openstack-integration-3-scenario002-tempest-centos-7/8cc9138/console.html#_2016-05-13_20_44_45_381 2016-05-13 20:44:45.381 | -------------------------------------------------------------------------------- 2016-05-13 20:44:45.381 | 2016-05-13 20:44:45.381 | SELinux is preventing /usr/sbin/httpd from write access on the directory cinder. 2016-05-13 20:44:45.381 | 2016-05-13 20:44:45.382 | ***** Plugin catchall (100. confidence) suggests ************************** 2016-05-13 20:44:45.382 | 2016-05-13 20:44:45.382 | If you believe that httpd should be allowed write access on the cinder directory by default. 2016-05-13 20:44:45.382 | Then you should report this as a bug. 2016-05-13 20:44:45.382 | You can generate a local policy module to allow this access. 2016-05-13 20:44:45.382 | Do 2016-05-13 20:44:45.382 | allow this access for now by executing: 2016-05-13 20:44:45.382 | # grep httpd /var/log/audit/audit.log | audit2allow -M mypol 2016-05-13 20:44:45.382 | # semodule -i mypol.pp 2016-05-13 20:44:45.382 | 2016-05-13 20:44:45.382 | 2016-05-13 20:44:45.383 | Additional Information: 2016-05-13 20:44:45.383 | Source Context system_u:system_r:httpd_t:s0 2016-05-13 20:44:45.383 | Target Context system_u:object_r:cinder_log_t:s0 2016-05-13 20:44:45.383 | Target Objects cinder [ dir ] 2016-05-13 20:44:45.383 | Source httpd 2016-05-13 20:44:45.383 | Source Path /usr/sbin/httpd 2016-05-13 20:44:45.383 | Port <Unknown> 2016-05-13 20:44:45.383 | Host <Unknown> 2016-05-13 20:44:45.383 | Source RPM Packages httpd-2.4.6-40.el7.centos.1.x86_64 2016-05-13 20:44:45.383 | Target RPM Packages 2016-05-13 20:44:45.383 | Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch 2016-05-13 20:44:45.383 | Selinux Enabled True 2016-05-13 20:44:45.384 | Policy Type targeted 2016-05-13 20:44:45.384 | Enforcing Mode Permissive 2016-05-13 20:44:45.384 | Host Name centos-7-rax-ord-766673 2016-05-13 20:44:45.384 | Platform Linux centos-7-rax-ord-766673 2016-05-13 20:44:45.384 | 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 2016-05-13 20:44:45.384 | 16:04:38 UTC 2016 x86_64 x86_64 2016-05-13 20:44:45.384 | Alert Count 1 2016-05-13 20:44:45.384 | First Seen 2016-05-13 20:26:05 UTC 2016-05-13 20:44:45.384 | Last Seen 2016-05-13 20:26:05 UTC 2016-05-13 20:44:45.384 | Local ID 88bec376-5012-4d58-b0a3-27021acee167 2016-05-13 20:44:45.384 | 2016-05-13 20:44:45.384 | Raw Audit Messages 2016-05-13 20:44:45.385 | type=AVC msg=audit(1463171165.77:545): avc: denied { write } for pid=11096 comm="httpd" name="cinder" dev="xvda1" ino=3168128 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=dir 2016-05-13 20:44:45.385 | 2016-05-13 20:44:45.385 | 2016-05-13 20:44:45.385 | type=AVC msg=audit(1463171165.77:545): avc: denied { add_name } for pid=11096 comm="httpd" name="cinder-api.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=dir 2016-05-13 20:44:45.385 | 2016-05-13 20:44:45.385 | 2016-05-13 20:44:45.385 | type=AVC msg=audit(1463171165.77:545): avc: denied { create } for pid=11096 comm="httpd" name="cinder-api.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=file 2016-05-13 20:44:45.385 | 2016-05-13 20:44:45.385 | 2016-05-13 20:44:45.385 | type=AVC msg=audit(1463171165.77:545): avc: denied { open } for pid=11096 comm="httpd" path="/var/log/cinder/cinder-api.log" dev="xvda1" ino=3178477 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=file 2016-05-13 20:44:45.385 | 2016-05-13 20:44:45.385 | 2016-05-13 20:44:45.386 | type=SYSCALL msg=audit(1463171165.77:545): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=7fa56cfa0c00 a1=441 a2=1b6 a3=24 items=0 ppid=11048 pid=11096 auid=4294967295 uid=165 gid=165 euid=165 suid=165 fsuid=165 egid=165 sgid=165 fsgid=165 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 2016-05-13 20:44:45.386 | 2016-05-13 20:44:45.386 | Hash: httpd,httpd_t,cinder_log_t,dir,write 2016-05-13 20:44:45.386 | 2016-05-13 20:44:45.386 | -------------------------------------------------------------------------------- 2016-05-13 20:44:45.386 | 2016-05-13 20:44:45.386 | SELinux is preventing /usr/sbin/httpd from open access on the file /var/log/cinder/cinder-api.log. 2016-05-13 20:44:45.386 | 2016-05-13 20:44:45.386 | ***** Plugin catchall (100. confidence) suggests ************************** 2016-05-13 20:44:45.386 | 2016-05-13 20:44:45.386 | If you believe that httpd should be allowed open access on the cinder-api.log file by default. 2016-05-13 20:44:45.387 | Then you should report this as a bug. 2016-05-13 20:44:45.387 | You can generate a local policy module to allow this access. 2016-05-13 20:44:45.387 | Do 2016-05-13 20:44:45.387 | allow this access for now by executing: 2016-05-13 20:44:45.387 | # grep httpd /var/log/audit/audit.log | audit2allow -M mypol 2016-05-13 20:44:45.387 | # semodule -i mypol.pp 2016-05-13 20:44:45.387 | 2016-05-13 20:44:45.387 | 2016-05-13 20:44:45.387 | Additional Information: 2016-05-13 20:44:45.387 | Source Context system_u:system_r:httpd_t:s0 2016-05-13 20:44:45.387 | Target Context system_u:object_r:cinder_log_t:s0 2016-05-13 20:44:45.387 | Target Objects /var/log/cinder/cinder-api.log [ file ] 2016-05-13 20:44:45.388 | Source httpd 2016-05-13 20:44:45.388 | Source Path /usr/sbin/httpd 2016-05-13 20:44:45.388 | Port <Unknown> 2016-05-13 20:44:45.388 | Host <Unknown> 2016-05-13 20:44:45.388 | Source RPM Packages httpd-2.4.6-40.el7.centos.1.x86_64 2016-05-13 20:44:45.388 | Target RPM Packages 2016-05-13 20:44:45.418 | Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch 2016-05-13 20:44:45.418 | Selinux Enabled True 2016-05-13 20:44:45.418 | Policy Type targeted 2016-05-13 20:44:45.418 | Enforcing Mode Permissive 2016-05-13 20:44:45.418 | Host Name centos-7-rax-ord-766673 2016-05-13 20:44:45.418 | Platform Linux centos-7-rax-ord-766673 2016-05-13 20:44:45.418 | 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 2016-05-13 20:44:45.418 | 16:04:38 UTC 2016 x86_64 x86_64 2016-05-13 20:44:45.418 | Alert Count 3 2016-05-13 20:44:45.419 | First Seen 2016-05-13 20:26:11 UTC 2016-05-13 20:44:45.419 | Last Seen 2016-05-13 20:36:16 UTC 2016-05-13 20:44:45.419 | Local ID 12291b08-11fe-485a-ab72-2ab2285aa485 2016-05-13 20:44:45.419 | 2016-05-13 20:44:45.419 | Raw Audit Messages 2016-05-13 20:44:45.419 | type=AVC msg=audit(1463171776.998:2602): avc: denied { open } for pid=14022 comm="httpd" path="/var/log/cinder/cinder-api.log" dev="xvda1" ino=3178477 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=file 2016-05-13 20:44:45.419 | 2016-05-13 20:44:45.419 | 2016-05-13 20:44:45.419 | type=SYSCALL msg=audit(1463171776.998:2602): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=7f1cc8fa3f60 a1=441 a2=1b6 a3=24 items=0 ppid=13991 pid=14022 auid=4294967295 uid=165 gid=165 euid=165 suid=165 fsuid=165 egid=165 sgid=165 fsgid=165 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 2016-05-13 20:44:45.419 | 2016-05-13 20:44:45.419 | Hash: httpd,httpd_t,cinder_log_t,file,open
The version was openstack-selinux-0.6.58-1.el7.noarch because we used OpenStack Infra mirror, not synced correctly.
Emilien, is this still breaking?
Mike, no. It looks good to me now, I can close it.