Bug 832414 - openstack-glance-2012.1-4.fc17
openstack-glance-2012.1-4.fc17
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-15 07:14 EDT by Pádraig Brady
Modified: 2012-07-19 05:18 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-19 20:30:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pádraig Brady 2012-06-15 07:14:39 EDT
There is a denial connecting to mysqld:

type=AVC msg=audit(1339706457.635:1431): avc:  denied  { name_connect } for  pid=31822 comm="glance-registry" dest=3306 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket

Note mysql is on localhost.
Apparently this was addressed in selinux-policy-targeted-3.10.0-120.fc17.noarch,
but that only seemed to consider the unix socket connection, as it added:

  mysql_stream_connect(glance_registry_t)

It seems from the above that this is also needed?

  allow glance_registry_t mysqld_port_t:tcp_socket name_connect;
Comment 1 Daniel Walsh 2012-06-15 16:14:45 EDT
I can add the ability to connect to the mysql port, do you know of any other ports it needs to connect to.
Comment 2 Pádraig Brady 2012-06-15 20:08:31 EDT
I don't know of any others
Comment 3 Daniel Walsh 2012-06-18 16:41:34 EDT
Fixed in selinux-policy-3.10.0-132.fc17
Comment 4 Fedora Update System 2012-06-19 03:59:50 EDT
selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-132.fc17
Comment 5 Fedora Update System 2012-06-19 20:30:06 EDT
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-07-19 05:18:11 EDT
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.