This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 801330 - AVC denials starting OpenStack glance services
AVC denials starting OpenStack glance services
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks: 821038
  Show dependency treegraph
 
Reported: 2012-03-08 05:19 EST by Mark McLoughlin
Modified: 2016-04-26 12:46 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 821038 856653 (view as bug list)
Environment:
Last Closed: 2012-05-27 21:20:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mark McLoughlin 2012-03-08 05:19:36 EST
With:

openstack-glance-2012.1-0.5.e4.fc17.noarch
selinux-policy-targeted-3.10.0-95.fc17.noarch

and following:

https://fedoraproject.org/wiki/QA:Testcase_start_OpenStack_Glance_services

I'm seeing:

Mar  8 10:08:02 zig kernel: [ 7788.218223] type=1400 audit(1331201282.093:11): avc:  denied  { read } for  pid=30658 comm="sh" name="passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Mar  8 10:08:02 zig kernel: [ 7788.230938] type=1400 audit(1331201282.105:12): avc:  denied  { read } for  pid=30660 comm="sh" name="passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Mar  8 10:08:02 zig kernel: [ 7788.383156] type=1400 audit(1331201282.258:13): avc:  denied  { getattr } for  pid=30657 comm="glance-registry" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Mar  8 10:08:02 zig kernel: [ 7788.383473] type=1400 audit(1331201282.258:14): avc:  denied  { execute } for  pid=30657 comm="glance-registry" path=2F746D702F666669687562354257202864656C6574656429 dev="dm-1" ino=2632903 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_registry_tmp_t:s0 tclass=file
Mar  8 10:08:02 zig kernel: [ 7788.383585] type=1400 audit(1331201282.258:15): avc:  denied  { execute } for  pid=30657 comm="glance-registry" path=2F7661722F746D702F666669323965644272202864656C6574656429 dev="dm-1" ino=2754886 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_registry_tmp_t:s0 tclass=file
Mar  8 10:08:02 zig kernel: [ 7788.383613] type=1400 audit(1331201282.258:16): avc:  denied  { write } for  pid=30657 comm="glance-registry" name="/" dev="tmpfs" ino=1212 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Mar  8 10:08:02 zig kernel: [ 7788.383673] type=1400 audit(1331201282.258:17): avc:  denied  { execute } for  pid=30657 comm="glance-registry" path=2F7661722F6C69622F676C616E63652F666669364F46767A72202864656C6574656429 dev="dm-1" ino=2890163 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_var_lib_t:s0 tclass=file
Mar  8 10:08:02 zig kernel: [ 7788.383756] type=1400 audit(1331201282.258:18): avc:  denied  { write } for  pid=30657 comm="glance-registry" name="/" dev="tmpfs" ino=1212 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Mar  8 10:08:02 zig kernel: [ 7788.383770] type=1400 audit(1331201282.258:19): avc:  denied  { write } for  pid=30657 comm="glance-registry" name="/" dev="mqueue" ino=7031 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Mar  8 10:08:02 zig kernel: [ 7788.383914] type=1400 audit(1331201282.258:20): avc:  denied  { execute } for  pid=30657 comm="glance-registry" path=2F746D702F666669624441487957202864656C6574656429 dev="dm-1" ino=2632903 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_registry_tmp_t:s0 tclass=file
Mar  8 10:08:54 zig kernel: [ 7841.065933] type=1400 audit(1331201334.941:24): avc:  denied  { name_connect } for  pid=30653 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
Mar  8 10:09:06 zig kernel: [ 7852.838533] type=1400 audit(1331201346.714:26): avc:  denied  { name_connect } for  pid=30653 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
Mar  8 10:09:06 zig kernel: [ 7852.900623] type=1400 audit(1331201346.776:27): avc:  denied  { name_connect } for  pid=30657 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
Mar  8 10:10:08 zig kernel: [ 7914.337851] type=1400 audit(1331201408.213:28): avc:  denied  { read } for  pid=31226 comm="sh" name="passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.337860] type=1400 audit(1331201408.213:29): avc:  denied  { open } for  pid=31226 comm="sh" name="passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.337872] type=1400 audit(1331201408.213:30): avc:  denied  { getattr } for  pid=31226 comm="sh" path="/etc/passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.411236] type=1400 audit(1331201408.287:31): avc:  denied  { getattr } for  pid=31225 comm="glance-registry" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Mar  8 10:10:08 zig kernel: [ 7914.411510] type=1400 audit(1331201408.287:32): avc:  denied  { execute } for  pid=31225 comm="glance-registry" path=2F746D702F666669314B6E414353202864656C6574656429 dev="dm-1" ino=2633402 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:glance_registry_tmp_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.412419] type=1400 audit(1331201408.288:33): avc:  denied  { execute } for  pid=31230 comm="glance-registry" name="bash" dev="dm-1" ino=1592069 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.412429] type=1400 audit(1331201408.288:34): avc:  denied  { read open } for  pid=31230 comm="glance-registry" name="bash" dev="dm-1" ino=1592069 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.412554] type=1400 audit(1331201408.288:35): avc:  denied  { execute_no_trans } for  pid=31230 comm="glance-registry" path="/usr/bin/bash" dev="dm-1" ino=1592069 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.414071] type=1400 audit(1331201408.290:36): avc:  denied  { getattr } for  pid=31230 comm="sh" path="/usr/bin/bash" dev="dm-1" ino=1592069 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  8 10:10:08 zig kernel: [ 7914.414286] type=1400 audit(1331201408.290:37): avc:  denied  { read } for  pid=31230 comm="sh" name="passwd" dev="dm-1" ino=1181848 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
Comment 1 Pádraig Brady 2012-03-08 07:57:26 EST
Lumping this in here for the moment. If using keystone, then `glance index` will fail with EACCES because of:

type=AVC msg=audit(1331211282.871:197): avc:  denied  { name_connect } for  pid=2515 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
Comment 2 Miroslav Grepl 2012-03-08 08:11:56 EST
Great, thanks for testing. I am interested in 

avc:  denied  { execute } for  pid=30657 comm="glance-registry"
path=2F7661722F6C69622F676C616E63652F666669364F46767A72202864656C6574656429
dev="dm-1" ino=2890163 scontext=system_u:system_r:glance_registry_t:s0

avc:  denied  { execute } for  pid=30657 comm="glance-registry"
path=2F746D702F666669687562354257202864656C6574656429 dev="dm-1" ino=2632903
scontext=system_u:system_r:glance_registry_t:s0
tcontext=system_u:object_r:glance_registry_tmp_t:s0 tclass=file

Do you know why this is needed? What is exactly executed?
Comment 3 Daniel Walsh 2012-03-08 10:38:02 EST
The openstack should be using /var/run rather then /tmp, and if it needs /tmp then it should use PrivateTmp within systemd unit file.
Comment 4 Pádraig Brady 2012-03-08 10:51:54 EST
PrivateTmp is already set I think:

http://pkgs.fedoraproject.org/gitweb/?p=openstack-glance.git;a=commitdiff;h=422d54bc9
Comment 5 Daniel Walsh 2012-03-08 13:05:50 EST
I still would prefer you to move to /run or /var/lib
Comment 6 Alan Pevec 2012-05-04 13:09:13 EDT
selinux-policy-3.10.0-118.fc17.noarch
openstack-glance-2012.1-4.fc17.noarch

We switched to mysql database instead of sqlite previously and I get now:

avc:  denied  { search } for  pid=15129 comm="glance-registry" name="mysql" dev="dm-1" ino=395088 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir
Comment 7 Daniel Walsh 2012-05-04 16:06:05 EDT
Fixed in selinux-policy-3.10.0-120.fc17.noarch
Comment 8 Fedora Update System 2012-05-09 11:16:48 EDT
selinux-policy-3.10.0-124.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-124.fc17
Comment 12 Fedora Update System 2012-05-17 18:58:16 EDT
Package selinux-policy-3.10.0-125.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-125.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-7953/selinux-policy-3.10.0-125.fc17
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-05-27 21:20:57 EDT
selinux-policy-3.10.0-125.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.