Bug 894862
| Summary: | Provide better SELinux policies vs. running all OpenStack services unconfined | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Perry Myers <pmyers> | |
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ami Jeain <ajeain> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 2.0 (Folsom) | CC: | apevec, markmc, mgrepl, pbrady, sgordon, sradvan, yeylon | |
| Target Milestone: | beta | |||
| Target Release: | 5.0 (RHEL 7) | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 978462 (view as bug list) | Environment: | ||
| Last Closed: | 2014-04-16 20:42:37 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 978462 | |||
|
Description
Perry Myers
2013-01-13 20:26:44 UTC
*** Bug 836035 has been marked as a duplicate of this bug. *** F19 selinux policy blocks keystone connecting to ldap:
avc: denied { name_connect } for pid=10032 comm="keystone-all" dest=389 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
#============= keystone_t ============== #!!!! This avc can be allowed using one of the these booleans: # nis_enabled, authlogin_nsswitch_use_ldap allow keystone_t ldap_port_t:tcp_socket name_connect; Or does it need to connect to this port without this boolean? |