I can't quite figure out where this tmp access is coming from. It happens with first access to the dashboard, but before any login takes place. It's definitely not anything obvious in dashboard or horizon, maybe one of the client libs or django itself.

Moving this to selinux-policy-targetted. There are a few other AVCs:

type=AVC msg=audit(1334516651.223:186): avc:  denied  { name_connect } for  pid=3303 comm="httpd" dest=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket

Access port 5000, keystone public port.

type=AVC msg=audit(1334517812.850:214): avc:  denied  { name_connect } for  pid=3303 comm="httpd" dest=35357 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

Access port 35357, keystone admin port.

type=AVC msg=audit(1334517476.384:205): avc:  denied  { name_connect } for  pid=3303 comm="httpd" dest=9292 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hplip_port_t:s0 tclass=tcp_socket

Access port 9292, the default glance port.

type=AVC msg=audit(1334518011.512:220): avc:  denied  { name_connect } for  pid=846 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

glance connecting to 35357, the keystone admin port.

Not sure why I didn't see it pop up, but the nova port 8774 should probably also be allowed.

selinux guys: openstack-dashboard is the openstack web UI. It's a django site that by default talks to all the openstack services on localhost, and is accessed at http://localhost/dashboard.

Lemme know if any more info is needed.

I am adding a rule for 

type=AVC msg=audit(1334518011.512:220): avc:  denied  { name_connect } for 
pid=846 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

You will need to turn on 

httpd_can_network 

boolean for other name_connect AVC msgs.

Or add a new boolean .. something like httpd_use_openstack?

Hmm, it would be nice to get this working out of the box, but only way would probably be to make a new http_use_openstack boolean and 'setsebool' it either at app startup or RPM install. But that sounds pretty hacky.

Anyone else have thoughts?

Which is a way how other projects do it.

Why did glance pick ports in the ephermeral range?


It would probably be better if the init script turned the boolean on, rather then just installing the package change httpd to be able to connect to all ports.

I think httpd_use_openstack is the boolean it should turn on.  DO NOT turn the boolean off when you shut down the service and do not turn it on permanantly.

> It would probably be better if the init script turned the boolean on, rather
> then just installing the package change httpd to be able to connect to all
> ports.
> 

horizon doesn't have an init script though, it's just a wsgi app launched by httpd. So I'm not sure where to stick the setsebool.

> I think httpd_use_openstack is the boolean it should turn on.  DO NOT turn the
> boolean off when you shut down the service and do not turn it on permanantly.

That sounds good (once I know where to trigger it).

I rather thought to turn on httpd_use_openstack boolean on install. But yes, we can leave it turned on by default.

Cole is there instruction on turning this on, for instance enabling openstack in apache?  If yes then why not just document that you need to turn on the boolean?

(In reply to comment #9)
> Cole is there instruction on turning this on, for instance enabling openstack
> in apache?  If yes then why not just document that you need to turn on the
> boolean?

Our dashboard packages only work with apache, this is separate from using apache to serve the various openstack APIs. We can document it on the wiki but it just means that out of the box openstack-dashboard doesn't work. But then again, openstack takes a decent amount of other config to get working so maybe it's not so bad.

If you guys can add the http openstack boolean that would be helpful, we can just document the setsebool command.

Cole why did keystone pick a port in the ephemeral range?  Can this be changed?

Added httpd_use_openstack to selinux-policy-3.10.0-117.fc17.noarch

selinux-policy-3.10.0-117.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-117.fc17

selinux-policy-3.10.0-118.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-118.fc17

Package selinux-policy-3.10.0-118.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-118.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6452/selinux-policy-3.10.0-118.fc17
then log in and leave karma (feedback).

selinux-policy-3.10.0-118.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.