glance-registry/selinux policy problem

[Pádraig Brady]

On 06/14/2012 09:45 PM, Joseph Breu wrote:
> Hi All,
> 
> Running through a Fedora/OpenStack deployment in our lab and ran into the following selinux policy violation:
> 
> type=AVC msg=audit(1339706457.635:1431): avc:  denied  { name_connect } for  pid=31822 comm="glance-registry" dest=3306 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
> 
> I have the following installed:
> openstack-glance-2012.1-4.fc17.noarch
> python-glance-2012.1-4.fc17.noarch
> selinux-policy-targeted-3.10.0-130.fc17.noarch
> selinux-policy-3.10.0-130.fc17.noarch

So they're the latest selinux policy packages.
The changelog says 3.10.0-120 allowed glance to connect to mysql.
Though looking at the change it added:

  mysql_stream_connect(glance_registry_t)

That only allows connecting on a local unix stream socket I think.
We might have to add this rule for more general connections?

  allow glance_registry_t mysqld_port_t:tcp_socket name_connect;

You could test it out temporarily like:

  echo 'type=AVC ... rest from above' | audit2allow -M openstack-glance
  semodule -i openstack-glance.pp

Is your mysql server on a separate system to the glance-registry service?
Could you send the output from:

  grep sql_connection /etc/glance/glance-registry.conf

cheers,
Pádraig.