Bug 1478176 - Need access to keystone_var_lib_t when using Apache as WSGI server
Need access to keystone_var_lib_t when using Apache as WSGI server
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
6.0 (Juno)
Unspecified Unspecified
high Severity urgent
: async
: 6.0 (Juno)
Assigned To: Lon Hohberger
Udi Shkalim
: Rebase, Triaged, ZStream
Depends On:
Blocks: 1475969
  Show dependency treegraph
Reported: 2017-08-03 15:38 EDT by Nathan Kinder
Modified: 2017-09-06 13:48 EDT (History)
8 users (show)

See Also:
Fixed In Version: openstack-selinux-0.8.9-0.1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-09-06 13:48:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nathan Kinder 2017-08-03 15:38:51 EDT
A new keyring config file needs to be installed as a part of the openstack-keystone package to avoid a hang issue that we are encountering on RHEL 7.4 (see bug#1475969).  This new file needs to be labeled properly to allow it to be read by keystone's httpd process when running in SELinux enforcing mode.

Here is the AVC that will be encountered without this policy change:

type=AVC msg=audit(1501609484.063:13177): avc:  denied  { open } for  pid=10111 comm="httpd" path="/var/lib/keystone/.local/share/python_keyring/keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file
type=AVC msg=audit(1501609484.063:13177): avc:  denied  { read } for  pid=10111 comm="httpd" name="keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file

A temporary workaround for this is to use chcon to grant access to the file:

# chcon system_u:system_r:httpd_t:s0 /var/lib/keystone/.local/share/python_keyring/keyringrc.cfg

We need an fcontext rule added so this label persists after a relabel.  We will need this change applied before we can ship the openstack-keystone update, and we would like to add a versioned package dependency to have openstack-keystone require this new version of openstack-selinux.
Comment 1 Lon Hohberger 2017-08-04 08:41:15 EDT
Apache isn't used for WSGI services on OSP6, is it?
Comment 2 Lon Hohberger 2017-08-04 08:42:51 EDT
Also, fcontext may not work here - whatever's deploying will no longer have access to write/create the file.

I think httpd just needs a boolean until WSGI settles that give it access to the keystone type.
Comment 11 errata-xmlrpc 2017-09-06 13:48:35 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.