Description of problem: selinux reports AVC issues after packstack is run with selinux in permissive mode. Version-Release number of selected component (if applicable): openstack-packstack-2013.1.1-0.3.dev527.fc19.noarch How reproducible: Always Steps to Reproduce: 1. install f19 @core, yum install openstack-packstack 2. packstack Actual results: AVC messages appear Expected results: No AVC messages Additional info: # cat /var/log/audit/audit.log | audit2allow -R require { type nova_cert_t; type nova_console_t; type glance_registry_t; type memcached_t; class capability sys_resource; } #============= glance_registry_t ============== dev_manage_sysfs_dirs(glance_registry_t) #============= memcached_t ============== allow memcached_t self:capability sys_resource; #============= nova_cert_t ============== dev_manage_sysfs_dirs(nova_cert_t) #============= nova_console_t ============== dev_manage_sysfs_dirs(nova_console_t)
Re-assigning to selinux-policy as Packstack does not touch selinux contexts or policies (except for enabling two booleans in some use cases).
Please attach the original avcs.
Created attachment 772071 [details] /var/log/audit/audit.log Apologies for just attaching the whole log file, but I don't know which parts are important.
0aefe67621f5a2966205fb357cf9b2ae64104dd6 and 85c5f723382b764dc78a7c9252ddec71d63ba383 Fix this in git.
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-69.fc19
Package selinux-policy-3.12.1-69.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-14089/selinux-policy-3.12.1-69.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.