OpenStack-Ansible

Missing SELinux context for neutron's logs

Bug #1748968 reported by Major Hayden
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Undecided
Major Hayden

Bug Description

The rsyslog daemon cannot read neutron's logs since they are labeled with default_t:

type=AVC msg=audit(1518463317.448:84883): avc: denied { read } for pid=19900 comm="in:imfile" name="neutron-l3-agent.log" dev="xvde1" ino=1441868 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/543588

Changed in openstack-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_neutron (master)

Reviewed: https://review.openstack.org/543588
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_neutron/commit/?id=1664cb00099b35d4effa54f9192569ad0e549b3e
Submitter: Zuul
Branch: master

commit 1664cb00099b35d4effa54f9192569ad0e549b3e
Author: Major Hayden <email address hidden>
Date: Tue Feb 13 15:57:04 2018 -0600

    Add SELinux contexts for neutron log directory

    The log directory for neutron has the default_t SELinux context and this
    prevents rsyslog from accessing neutron's logs. This patch ensures that
    the file contexts are set properly for neutron's logs.

    This change also makes neutron's log directory configurable using the
    `neutron_log_dir` variable.

    Closes-Bug: 1748968
    Change-Id: Ifbcca131435c8963cc9c1b85c000cc040fab27ab

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/545884

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_neutron (stable/queens)

Reviewed: https://review.openstack.org/545884
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_neutron/commit/?id=517b78d4dd99b6318388e929a895378327d75989
Submitter: Zuul
Branch: stable/queens

commit 517b78d4dd99b6318388e929a895378327d75989
Author: Major Hayden <email address hidden>
Date: Tue Feb 13 15:57:04 2018 -0600

    Add SELinux contexts for neutron log directory

    This is a backport of:
    - https://review.openstack.org/543588
    - https://review.openstack.org/545503

    The log directory for neutron has the default_t SELinux context and this
    prevents rsyslog from accessing neutron's logs. This patch ensures that
    the file contexts are set properly for neutron's logs.

    This change also makes neutron's log directory configurable using the
    `neutron_log_dir` variable.

    Closes-Bug: 1748968
    Change-Id: Ifbcca131435c8963cc9c1b85c000cc040fab27ab

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_neutron 17.0.0.0rc2

This issue was fixed in the openstack/openstack-ansible-os_neutron 17.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_neutron 18.0.0.0b1

This issue was fixed in the openstack/openstack-ansible-os_neutron 18.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.