801330 – AVC denials starting OpenStack glance services

Bug 801330 - AVC denials starting OpenStack glance services

Summary: AVC denials starting OpenStack glance services

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	17
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	821038
TreeView+	depends on / blocked

Reported:	2012-03-08 10:19 UTC by Mark McLoughlin
Modified:	2016-04-26 16:46 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	821038 856653 (view as bug list)
Environment:
Last Closed:	2012-05-28 01:20:57 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mark McLoughlin 2012-03-08 10:19:36 UTC

With:

openstack-glance-2012.1-0.5.e4.fc17.noarch
selinux-policy-targeted-3.10.0-95.fc17.noarch

and following:

https://fedoraproject.org/wiki/QA:Testcase_start_OpenStack_Glance_services

I'm seeing:

Mar  8 10:08:02 zig kernel: [ 7788.218223] type=1400 audit(1331201282.093:11): avc:  denied  { read } for  pid=30658 comm="sh" name="passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Mar  8 10:08:02 zig kernel: [ 7788.230938] type=1400 audit(1331201282.105:12): avc:  denied  { read } for  pid=30660 comm="sh" name="passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Mar  8 10:08:02 zig kernel: [ 7788.383156] type=1400 audit(1331201282.258:13): avc:  denied  { getattr } for  pid=30657 comm="glance-registry" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Mar  8 10:08:02 zig kernel: [ 7788.383473] type=1400 audit(1331201282.258:14): avc:  denied  { execute } for  pid=30657 comm="glance-registry" path=2F746D702F666669687562354257202864656C6574656429 dev="dm-1" ino=2632903 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_registry_tmp_t:s0 tclass=file
Mar  8 10:08:02 zig kernel: [ 7788.383585] type=1400 audit(1331201282.258:15): avc:  denied  { execute } for  pid=30657 comm="glance-registry" path=2F7661722F746D702F666669323965644272202864656C6574656429 dev="dm-1" ino=2754886 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_registry_tmp_t:s0 tclass=file
Mar  8 10:08:02 zig kernel: [ 7788.383613] type=1400 audit(1331201282.258:16): avc:  denied  { write } for  pid=30657 comm="glance-registry" name="/" dev="tmpfs" ino=1212 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Mar  8 10:08:02 zig kernel: [ 7788.383673] type=1400 audit(1331201282.258:17): avc:  denied  { execute } for  pid=30657 comm="glance-registry" path=2F7661722F6C69622F676C616E63652F666669364F46767A72202864656C6574656429 dev="dm-1" ino=2890163 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file
Mar  8 10:08:02 zig kernel: [ 7788.383756] type=1400 audit(1331201282.258:18): avc:  denied  { write } for  pid=30657 comm="glance-registry" name="/" dev="tmpfs" ino=1212 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Mar  8 10:08:02 zig kernel: [ 7788.383770] type=1400 audit(1331201282.258:19): avc:  denied  { write } for  pid=30657 comm="glance-registry" name="/" dev="mqueue" ino=7031 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Mar  8 10:08:02 zig kernel: [ 7788.383914] type=1400 audit(1331201282.258:20): avc:  denied  { execute } for  pid=30657 comm="glance-registry" path=2F746D702F666669624441487957202864656C6574656429 dev="dm-1" ino=2632903 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_registry_tmp_t:s0 tclass=file
Mar  8 10:08:54 zig kernel: [ 7841.065933] type=1400 audit(1331201334.941:24): avc:  denied  { name_connect } for  pid=30653 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
Mar  8 10:09:06 zig kernel: [ 7852.838533] type=1400 audit(1331201346.714:26): avc:  denied  { name_connect } for  pid=30653 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
Mar  8 10:09:06 zig kernel: [ 7852.900623] type=1400 audit(1331201346.776:27): avc:  denied  { name_connect } for  pid=30657 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
Mar  8 10:10:08 zig kernel: [ 7914.337851] type=1400 audit(1331201408.213:28): avc:  denied  { read } for  pid=31226 comm="sh" name="passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.337860] type=1400 audit(1331201408.213:29): avc:  denied  { open } for  pid=31226 comm="sh" name="passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.337872] type=1400 audit(1331201408.213:30): avc:  denied  { getattr } for  pid=31226 comm="sh" path="/etc/passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.411236] type=1400 audit(1331201408.287:31): avc:  denied  { getattr } for  pid=31225 comm="glance-registry" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Mar  8 10:10:08 zig kernel: [ 7914.411510] type=1400 audit(1331201408.287:32): avc:  denied  { execute } for  pid=31225 comm="glance-registry" path=2F746D702F666669314B6E414353202864656C6574656429 dev="dm-1" ino=2633402 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_registry_tmp_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.412419] type=1400 audit(1331201408.288:33): avc:  denied  { execute } for  pid=31230 comm="glance-registry" name="bash" dev="dm-1" ino=1592069 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.412429] type=1400 audit(1331201408.288:34): avc:  denied  { read open } for  pid=31230 comm="glance-registry" name="bash" dev="dm-1" ino=1592069 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.412554] type=1400 audit(1331201408.288:35): avc:  denied  { execute_no_trans } for  pid=31230 comm="glance-registry" path="/usr/bin/bash" dev="dm-1" ino=1592069 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.414071] type=1400 audit(1331201408.290:36): avc:  denied  { getattr } for  pid=31230 comm="sh" path="/usr/bin/bash" dev="dm-1" ino=1592069 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.414286] type=1400 audit(1331201408.290:37): avc:  denied  { read } for  pid=31230 comm="sh" name="passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file

Comment 1 Pádraig Brady 2012-03-08 12:57:26 UTC

Lumping this in here for the moment. If using keystone, then `glance index` will fail with EACCES because of:

type=AVC msg=audit(1331211282.871:197): avc:  denied  { name_connect } for  pid=2515 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

Comment 2 Miroslav Grepl 2012-03-08 13:11:56 UTC

Great, thanks for testing. I am interested in 

avc:  denied  { execute } for  pid=30657 comm="glance-registry"
path=2F7661722F6C69622F676C616E63652F666669364F46767A72202864656C6574656429
dev="dm-1" ino=2890163 scontext=system_u:system_r:glance_registry_t:s0

avc:  denied  { execute } for  pid=30657 comm="glance-registry"
path=2F746D702F666669687562354257202864656C6574656429 dev="dm-1" ino=2632903
scontext=system_u:system_r:glance_registry_t:s0
tcontext=system_u:object_r:glance_registry_tmp_t:s0 tclass=file

Do you know why this is needed? What is exactly executed?

Comment 3 Daniel Walsh 2012-03-08 15:38:02 UTC

The openstack should be using /var/run rather then /tmp, and if it needs /tmp then it should use PrivateTmp within systemd unit file.

Comment 4 Pádraig Brady 2012-03-08 15:51:54 UTC

PrivateTmp is already set I think:

http://pkgs.fedoraproject.org/gitweb/?p=openstack-glance.git;a=commitdiff;h=422d54bc9

Comment 5 Daniel Walsh 2012-03-08 18:05:50 UTC

I still would prefer you to move to /run or /var/lib

Comment 6 Alan Pevec 2012-05-04 17:09:13 UTC

selinux-policy-3.10.0-118.fc17.noarch
openstack-glance-2012.1-4.fc17.noarch

We switched to mysql database instead of sqlite previously and I get now:

avc:  denied  { search } for  pid=15129 comm="glance-registry" name="mysql" dev="dm-1" ino=395088 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir

Comment 7 Daniel Walsh 2012-05-04 20:06:05 UTC

Fixed in selinux-policy-3.10.0-120.fc17.noarch

Comment 8 Fedora Update System 2012-05-09 15:16:48 UTC

selinux-policy-3.10.0-124.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-124.fc17

Comment 12 Fedora Update System 2012-05-17 22:58:16 UTC

Package selinux-policy-3.10.0-125.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-125.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-7953/selinux-policy-3.10.0-125.fc17
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2012-05-28 01:20:57 UTC

selinux-policy-3.10.0-125.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.