Bug 1475378 - SELinux policy blocks Cinder backend for Glance
SELinux policy blocks Cinder backend for Glance
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
12.0 (Pike)
Unspecified Unspecified
high Severity high
: ga
: 12.0 (Pike)
Assigned To: Lon Hohberger
Mike Abrams
: Triaged
Depends On:
Blocks: 1293435
  Show dependency treegraph
Reported: 2017-07-26 10:18 EDT by Eric Harney
Modified: 2018-02-05 14:10 EST (History)
9 users (show)

See Also:
Fixed In Version: openstack-selinux-0.8.8-0.20170804200925.ad96ed3.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-12-13 16:44:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit.log in permissive mode (134.48 KB, text/plain)
2017-07-26 10:18 EDT, Eric Harney
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3462 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-15 20:43:25 EST

  None (edit)
Description Eric Harney 2017-07-26 10:18:19 EDT
Created attachment 1304822 [details]
audit.log in permissive mode

Description of problem:
SELinux policy needs additions to support the Cinder backend for Glance

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. Configure Cinder backend for Glance
2. Attempt to upload an image from a file to Glance

Actual results:
Fails w/ HTTP 500

Additional info:
The Cinder backend for Glance uses os-brick and oslo.privsep to connect to volumes, which is different from other Glance backends.

A previous attempt to address this same case is here:

Note: it is not possible to test this out of the box on OSP12 today because some configuration changes in the Glance packages that have not yet landedg.  (These were configured by hand on the test machine used to generate the audit log here.)
Comment 5 Paul Grist 2017-11-14 22:01:35 EST
Does the verification of the glance-cinder backend effectively verify this one?
Comment 6 Lon Hohberger 2017-12-01 15:00:48 EST
I'd think so
Comment 7 Eric Harney 2017-12-01 15:20:17 EST
Yes, I agree.
Comment 11 errata-xmlrpc 2017-12-13 16:44:48 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.