neutron

neutron-server on restart is triggering AVCs on a number of files

Bug #1498151 reported by YaZug
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Expired
Undecided
Unassigned

Bug Description

using delorian installed via packstack --allinone I noticed that if we restart neutron-server it generates a number of AVCs for getattr on 87 files

neutron==7.0.0.0b4.dev223

sample of a few entries from /var/log/audit.log from centos 7

type=AVC msg=audit(1442855709.922:10594): avc: denied { getattr } for pid=16273 comm="neutron-server" path="/usr/bin/hostname" dev="dm-0" ino=67231056 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=AVC msg=audit(1442855709.922:10595): avc: denied { getattr } for pid=16273 comm="neutron-server" path="/usr/bin/fusermount" dev="dm-0" ino=70253714 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:fusermount_exec_t:s0 tclass=file
type=AVC msg=audit(1442855709.922:10596): avc: denied { getattr } for pid=16273 comm="neutron-server" path="/usr/bin/glance-api" dev="dm-0" ino=69439463 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:glance_api_exec_t:s0 tclass=file
type=AVC msg=audit(1442855709.922:10597): avc: denied { getattr } for pid=16273 comm="neutron-server" path="/usr/bin/glance-registry" dev="dm-0" ino=69439474 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:glance_registry_exec_t:s0 tclass=file
type=AVC msg=audit(1442855709.923:10598): avc: denied { getattr } for pid=16273 comm="neutron-server" path="/usr/bin/glance-scrubber" dev="dm-0" ino=69439476 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:glance_scrubber_exec_t:

See original description
Revision history for this message
YaZug (jon-schlueter) wrote :
description: updated
Assaf Muller (amuller)
Changed in neutron:
status: New → Confirmed
assignee: nobody → Terry Wilson (otherwiseguy)
YaZug (jon-schlueter)
description: updated
Revision history for this message
Lon Hohberger (lhh) wrote :

The question I have is - what's neutron-server doing statting a bunch of files during startup? Does it need to, or is this a child task doing it?

child task -> these are candidates for dontaudit rules
neutron needs to do this -> these are candidates for expanding neutron's permissions

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 240 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee: Terry Wilson (otherwiseguy) → nobody
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.