Description of problem: OpenStack causes a few SELinux AVC denials after being installed with Packstack and some could be prevented by enabling two more SELinux Booleans. Version-Release number of selected component (if applicable): Current RDO Havana M2 on F19 How reproducible: dunno Steps to Reproduce: 1. packstack --all-in-one --os-quantum-install=n 2. cat /var/log/audit/audit.log | audit2allow 3. Actual results: #============= rsync_t ============== #!!!! This avc can be allowed using the boolean 'rsync_full_access' allow rsync_t var_lock_t:dir write; #============= swift_t ============== #!!!! This avc can be allowed using the boolean 'nis_enabled' allow swift_t self:tcp_socket { accept listen }; allow swift_t user_home_dir_t:dir search; allow swift_t var_t:dir { write remove_name add_name }; allow swift_t var_t:file { rename read lock create write getattr unlink open }; allow swift_t xserver_port_t:tcp_socket name_bind; Expected results: No easy to avoid SELinux AVC denials. Additional info: There's also a few more denials that are not (yet) covered by booleans, so reporting those seperately against selinux-policy-targeted.
This should be done in openstack-selinux package I guess.
We either did this (EPEL RDO) or it doesn't apply to Fedora (which doesn't have openstack-selinux)