Bug 1475378 - SELinux policy blocks Cinder backend for Glance
Summary: SELinux policy blocks Cinder backend for Glance
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ga
: 12.0 (Pike)
Assignee: Lon Hohberger
QA Contact: Mike Abrams
Depends On:
Blocks: 1293435 1646932
TreeView+ depends on / blocked
Reported: 2017-07-26 14:18 UTC by Eric Harney
Modified: 2018-11-06 10:40 UTC (History)
9 users (show)

Fixed In Version: openstack-selinux-0.8.8-0.20170804200925.ad96ed3.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-13 21:44:48 UTC
Target Upstream Version:

Attachments (Terms of Use)
audit.log in permissive mode (134.48 KB, text/plain)
2017-07-26 14:18 UTC, Eric Harney
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Description Eric Harney 2017-07-26 14:18:19 UTC
Created attachment 1304822 [details]
audit.log in permissive mode

Description of problem:
SELinux policy needs additions to support the Cinder backend for Glance

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. Configure Cinder backend for Glance
2. Attempt to upload an image from a file to Glance

Actual results:
Fails w/ HTTP 500

Additional info:
The Cinder backend for Glance uses os-brick and oslo.privsep to connect to volumes, which is different from other Glance backends.

A previous attempt to address this same case is here:

Note: it is not possible to test this out of the box on OSP12 today because some configuration changes in the Glance packages that have not yet landedg.  (These were configured by hand on the test machine used to generate the audit log here.)

Comment 5 Paul Grist 2017-11-15 03:01:35 UTC
Does the verification of the glance-cinder backend effectively verify this one?

Comment 6 Lon Hohberger 2017-12-01 20:00:48 UTC
I'd think so

Comment 7 Eric Harney 2017-12-01 20:20:17 UTC
Yes, I agree.

Comment 11 errata-xmlrpc 2017-12-13 21:44:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.