Hide Forgot
OpenStack's Identity Service (Keystone) doesn't currently have any SELinux policy defined for it so it runs unconfined in the initrc_t domain
To confirm that the keystone service runs in the initrc_t domain: system_u:system_r:initrc_t:s0 20646 ? 00:00:01 keystone-all
Why is openstack-keystone using /tmp? Why is it writing content that can execute? It should be using /var/run for this or at least use privatetmp in unit file.
Policy is in selinux-policy-3.10.0-98.fc17 But needs lots of testing, since all I did was write it and start and stop the service. Not sure how it interacts with other openstack daemons.
(In reply to comment #2) > Why is openstack-keystone using /tmp? Why is it writing content that can > execute? It should be using /var/run for this or at least use privatetmp in > unit file. That's probably Python's uuid issue bug 814391
(In reply to comment #4) > (In reply to comment #2) > > Why is openstack-keystone using /tmp? Why is it writing content that can > > execute? It should be using /var/run for this or at least use privatetmp in > > unit file. > > That's probably Python's uuid issue bug 814391 This is fixed in Fedora; see https://bugzilla.redhat.com/show_bug.cgi?id=814391#c10
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.