Openstack on Fedora 17 - glance

Tómas Edwardsson tommi at tommi.org
Tue Jun 12 15:17:42 UTC 2012 

Hi

I just registered to the mailing list so I can't reply directly to the emails that have been sent recently.

I had the same issue Michael reported with "glance index" and was able to fix it with running:

sudo setenforce 0
sudo systemctl restart openstack-glance-api.service
sudo systemctl restart openstack-glance-api.service

My Fedora 17 is fully yum updated.

Denials from the audit.log, has one AVC for nova_cert as well:

type=AVC msg=audit(1339505968.994:557): avc:  denied  { read } for  pid=15519 comm="sh" name="passwd" dev="dm-1" ino=2624014 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1339505969.032:558): avc:  denied  { read } for  pid=15521 comm="sh" name="passwd" dev="dm-1" ino=2624014 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1339505969.069:559): avc:  denied  { execute } for  pid=15523 comm="glance-registry" name="bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339505969.089:560): avc:  denied  { execute } for  pid=15524 comm="glance-registry" name="bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339505969.104:561): avc:  denied  { execute } for  pid=15525 comm="glance-registry" name="bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339505969.115:562): avc:  denied  { execute } for  pid=15526 comm="glance-registry" name="bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339506279.402:713): avc:  denied  { create } for  pid=15607 comm="nova-cert" scontext=system_u:system_r:nova_cert_t:s0 tcontext=system_u:system_r:nova_cert_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1339506601.713:880): avc:  denied  { read } for  pid=16556 comm="sh" name="passwd" dev="dm-1" ino=2624014 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1339506601.735:881): avc:  denied  { read } for  pid=16558 comm="sh" name="passwd" dev="dm-1" ino=2624014 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1339506605.178:889): avc:  denied  { execute } for  pid=16565 comm="glance-registry" name="bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339506605.187:890): avc:  denied  { execute } for  pid=16566 comm="glance-registry" name="bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339506605.193:891): avc:  denied  { execute } for  pid=16567 comm="glance-registry" name="bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339506605.200:892): avc:  denied  { execute } for  pid=16568 comm="glance-registry" name="bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339506608.636:893): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339506617.091:894): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339506626.883:895): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339506657.957:906): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339506695.931:907): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339506721.340:908): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339506778.794:909): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339506866.469:910): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339508296.813:911): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339508311.498:912): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339508344.815:914): avc:  denied  { name_connect } for  pid=16564 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339508350.803:922): avc:  denied  { execute } for  pid=18118 comm="glance-registry" name="bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339508350.803:922): avc:  denied  { read open } for  pid=18118 comm="glance-registry" name="bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339508350.803:922): avc:  denied  { execute_no_trans } for  pid=18118 comm="glance-registry" path="/usr/bin/bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339508350.811:923): avc:  denied  { getattr } for  pid=18118 comm="sh" path="/usr/bin/bash" dev="dm-1" ino=1704915 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1339508350.812:924): avc:  denied  { read } for  pid=18118 comm="sh" name="passwd" dev="dm-1" ino=2624014 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1339508350.812:924): avc:  denied  { open } for  pid=18118 comm="sh" name="passwd" dev="dm-1" ino=2624014 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1339508350.812:925): avc:  denied  { getattr } for  pid=18118 comm="sh" path="/etc/passwd" dev="dm-1" ino=2624014 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1339508350.815:926): avc:  denied  { execute } for  pid=18119 comm="sh" name="ldconfig" dev="dm-1" ino=1704887 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1339508350.815:926): avc:  denied  { read open } for  pid=18119 comm="sh" name="ldconfig" dev="dm-1" ino=1704887 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1339508350.815:926): avc:  denied  { execute_no_trans } for  pid=18119 comm="sh" path="/usr/sbin/ldconfig" dev="dm-1" ino=1704887 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1339508355.898:927): avc:  denied  { name_connect } for  pid=18117 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339508420.705:932): avc:  denied  { name_connect } for  pid=16555 comm="glance-api" dest=80 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339509237.883:1033): avc:  denied  { name_connect } for  pid=18117 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339509446.913:1094): avc:  denied  { name_connect } for  pid=18117 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1339509649.087:1228): avc:  denied  { name_connect } for  pid=18117 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket


Run through "audit2allow -Mmyopenstack":

module myopenstack 1.0;

require {
	type ldconfig_exec_t;
	type glance_registry_t;
	type passwd_file_t;
	type glance_api_t;
	type shell_exec_t;
	type ephemeral_port_t;
	type http_port_t;
	type nova_cert_t;
	class tcp_socket name_connect;
	class file { execute read open getattr execute_no_trans };
	class netlink_route_socket create;
}

#============= glance_api_t ==============
allow glance_api_t http_port_t:tcp_socket name_connect;
allow glance_api_t passwd_file_t:file read;

#============= glance_registry_t ==============
allow glance_registry_t ephemeral_port_t:tcp_socket name_connect;
allow glance_registry_t ldconfig_exec_t:file { read execute open execute_no_trans };
allow glance_registry_t passwd_file_t:file { read getattr open };
allow glance_registry_t shell_exec_t:file { read execute open getattr execute_no_trans };

#============= nova_cert_t ==============
allow nova_cert_t self:netlink_route_socket create;


--- 
Tomas Edwardsson

More information about the cloud mailing list