1475378 – SELinux policy blocks Cinder backend for Glance

Bug 1475378 - SELinux policy blocks Cinder backend for Glance

Summary: SELinux policy blocks Cinder backend for Glance

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	12.0 (Pike)
Assignee:	Lon Hohberger
QA Contact:	Mike Abrams
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1293435 1646932
TreeView+	depends on / blocked

Reported:	2017-07-26 14:18 UTC by Eric Harney
Modified:	2018-11-06 10:40 UTC (History)
CC List:	9 users (show)
Fixed In Version:	openstack-selinux-0.8.8-0.20170804200925.ad96ed3.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-13 21:44:48 UTC
Target Upstream Version:

Attachments	(Terms of Use)
audit.log in permissive mode (134.48 KB, text/plain) 2017-07-26 14:18 UTC, Eric Harney	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:3462	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 Enhancement Advisory	2018-02-16 01:43:25 UTC

Description Eric Harney 2017-07-26 14:18:19 UTC

Created attachment 1304822 [details]
audit.log in permissive mode

Description of problem:
SELinux policy needs additions to support the Cinder backend for Glance

Version-Release number of selected component (if applicable):
OSP12


Steps to Reproduce:
1. Configure Cinder backend for Glance
2. Attempt to upload an image from a file to Glance


Actual results:
Fails w/ HTTP 500


Additional info:
The Cinder backend for Glance uses os-brick and oslo.privsep to connect to volumes, which is different from other Glance backends.

A previous attempt to address this same case is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1395240

Note: it is not possible to test this out of the box on OSP12 today because some configuration changes in the Glance packages that have not yet landedg.  (These were configured by hand on the test machine used to generate the audit log here.)

Comment 1 Lon Hohberger 2017-08-04 19:03:23 UTC

https://github.com/redhat-openstack/openstack-selinux/commit/5002b373a03c3910cc7a5fbd94468e8e3b84d55c

Comment 5 Paul Grist 2017-11-15 03:01:35 UTC

Does the verification of the glance-cinder backend effectively verify this one?

Comment 6 Lon Hohberger 2017-12-01 20:00:48 UTC

I'd think so

Comment 7 Eric Harney 2017-12-01 20:20:17 UTC

Yes, I agree.

Comment 11 errata-xmlrpc 2017-12-13 21:44:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.