Description of problem: Launching a new stack from heat, specifically heat-cfn -d create wp --template-file=templates/WordPress_Single_Instance.template '--parameters=InstanceType=m1.large;DBUsername=jpeeler;DBPassword=verybadpass;KeyName=jpeeler_key;LinuxDistribution=F17' May only require launching a VM from Nova, but this issue has happened twice now. SELinux is preventing /usr/bin/guestmount from 'create' accesses on the unix_stream_socket . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that guestmount should be allowed create access on the unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep guestmount /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:virtd_t:s0-s0:c0.c1023 Target Context system_u:system_r:svirt_socket_t:s0-s0:c0.c1023 Target Objects [ unix_stream_socket ] Source guestmount Source Path /usr/bin/guestmount Port <Unknown> Host (removed) Source RPM Packages libguestfs-tools-c-1.20.1-2.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-67.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.2-201.fc18.x86_64 #1 SMP Fri Jan 11 22:16:23 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-01-15 18:37:11 EST Last Seen 2013-01-16 11:15:00 EST Local ID 4478e131-2001-4376-bd56-145cc621c94f Raw Audit Messages type=AVC msg=audit(1358352900.827:821): avc: denied { create } for pid=26612 comm="guestmount" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_socket_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1358352900.827:821): arch=x86_64 syscall=socket success=no exit=EACCES a0=1 a1=80001 a2=0 a3=636b636f732f7274 items=0 ppid=26609 pid=26612 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=guestmount exe=/usr/bin/guestmount subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) Hash: guestmount,virtd_t,svirt_socket_t,unix_stream_socket,create audit2allow #============= virtd_t ============== allow virtd_t svirt_socket_t:unix_stream_socket create; audit2allow -R #============= virtd_t ============== allow virtd_t svirt_socket_t:unix_stream_socket create; Additional info: hashmarkername: setroubleshoot kernel: 3.7.2-201.fc18.x86_64 type: libreport
161f075b8d772d0f23b93f27c0f59727a6fe5236 is in the git repository to fix this.
Backported. commit 7609c86044f9fd45745c5814230a8e63e7a04129 Author: Dan Walsh <dwalsh> Date: Wed Jan 16 15:46:22 2013 -0500 Allow virtd_t to create stream socket perms for svirt_socket_t, so that it can use guestmount. Need to allow virtd_t to write to /proc in order to open namespace sockets for write.
selinux-policy-3.11.1-73.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-73.fc18
Package selinux-policy-3.11.1-73.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-73.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1272/selinux-policy-3.11.1-73.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-73.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Problem has been reproduced again under the same circumstances. The audit messages appear identical, but here they are anyway: SELinux is preventing /usr/bin/guestmount from 'create' accesses on the unix_stream_socket . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that guestmount should be allowed create access on the unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep guestmount /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:virtd_t:s0-s0:c0.c1023 Target Context system_u:system_r:svirt_socket_t:s0-s0:c0.c1023 Target Objects [ unix_stream_socket ] Source guestmount Source Path /usr/bin/guestmount Port <Unknown> Host (removed) Source RPM Packages libguestfs-tools-c-1.20.1-3.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-76.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.6-201.fc18.x86_64 #1 SMP Mon Feb 4 15:54:08 UTC 2013 x86_64 x86_64 Alert Count 58 First Seen 2013-01-29 18:10:16 EST Last Seen 2013-02-14 14:39:28 EST Local ID 8893b853-0b6b-4862-9ea9-e0f55c9931fe Raw Audit Messages type=AVC msg=audit(1360870768.354:953): avc: denied { create } for pid=7797 comm="guestmount" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_socket_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1360870768.354:953): arch=x86_64 syscall=socket success=no exit=EACCES a0=1 a1=80001 a2=0 a3=72636b636f732f72 items=0 ppid=7796 pid=7797 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=guestmount exe=/usr/bin/guestmount subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) Hash: guestmount,virtd_t,svirt_socket_t,unix_stream_socket,create audit2allow #============= virtd_t ============== allow virtd_t svirt_socket_t:unix_stream_socket create; audit2allow -R #============= virtd_t ============== allow virtd_t svirt_socket_t:unix_stream_socket create;
Yes you are right.
ef2897afaedf84bdd109fea586f7c562cead90b0 fixes this.
Backported.
selinux-policy-3.11.1-79.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-79.fc18
selinux-policy-3.11.1-79.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.