libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.4-1.fc17.x86_64 time: Sun 29 Apr 2012 09:29:57 PM EDT description: :SELinux is preventing /usr/bin/python2.7 from 'search' accesses on the directory /var/lib/mysql. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that python2.7 should be allowed search access on the mysql directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep glance-registry /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:glance_registry_t:s0 :Target Context system_u:object_r:mysqld_db_t:s0 :Target Objects /var/lib/mysql [ dir ] :Source glance-registry :Source Path /usr/bin/python2.7 :Port <Unknown> :Host (removed) :Source RPM Packages python-2.7.3-3.fc17.x86_64 :Target RPM Packages mysql-server-5.5.23-1.fc17.x86_64 :Policy RPM selinux-policy-3.10.0-118.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.4-1.fc17.x86_64 #1 SMP Fri : Apr 27 18:39:03 UTC 2012 x86_64 x86_64 :Alert Count 11 :First Seen Sun 29 Apr 2012 09:22:57 PM EDT :Last Seen Sun 29 Apr 2012 09:23:07 PM EDT :Local ID 4be7b8f7-56c9-435c-a3de-a14788e97606 : :Raw Audit Messages :type=AVC msg=audit(1335748987.185:423): avc: denied { search } for pid=5171 comm="glance-registry" name="mysql" dev="dm-1" ino=38574 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1335748987.185:423): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fffc5e12270 a2=6e a3=7f0b301d74db items=0 ppid=1 pid=5171 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-registry exe=/usr/bin/python2.7 subj=system_u:system_r:glance_registry_t:s0 key=(null) : :Hash: glance-registry,glance_registry_t,mysqld_db_t,dir,search : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Is glance_registry supposed to use a mysql database?
(In reply to comment #1) > Is glance_registry supposed to use a mysql database? I'm pretty sure that in the new version of open-stack (which is what I was using to make this bug repeatable) glance is supposed to use a mysql db. It prompted me to set one up in the setup script for glance and the instructions are verbatim from the fedora wiki for f17 with openstack.
Fixed in selinux-policy-3.10.0-120.fc17
selinux-policy-3.10.0-121.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-121.fc17
Package selinux-policy-3.10.0-121.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-121.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7313/selinux-policy-3.10.0-121.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-121.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.