Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ara_api role: gunicorn fails to start if selinux is enforcing #49

Closed
dmsimard opened this issue May 28, 2019 · 1 comment
Closed

ara_api role: gunicorn fails to start if selinux is enforcing #49

dmsimard opened this issue May 28, 2019 · 1 comment
Labels
ansible roles Related to the Ansible roles bug

Comments

@dmsimard
Copy link
Contributor

See:

type=AVC msg=audit(1559060052.066:203): avc:  denied  { execute } for  pid=32057 comm="(gunicorn)" name="gunicorn" dev="vda1" ino=528956 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1559060259.586:238): avc:  denied  { execute } for  pid=872 comm="(gunicorn)" name="gunicorn" dev="vda1" ino=528956 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559060259.586:239): avc:  denied  { read open } for  pid=872 comm="(gunicorn)" path="/root/.ara/virtualenv/bin/gunicorn" dev="vda1" ino=528956 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559060259.586:240): avc:  denied  { execute_no_trans } for  pid=872 comm="(gunicorn)" path="/root/.ara/virtualenv/bin/gunicorn" dev="vda1" ino=528956 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559060259.598:241): avc:  denied  { ioctl } for  pid=872 comm="gunicorn" path="/root/.ara/virtualenv/pyvenv.cfg" dev="vda1" ino=397404 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559060260.003:242): avc:  denied  { read } for  pid=875 comm="gunicorn" name="settings.yaml" dev="vda1" ino=397411 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559060260.003:243): avc:  denied  { open } for  pid=875 comm="gunicorn" path="/root/.ara/server/settings.yaml" dev="vda1" ino=397411 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559060260.003:244): avc:  denied  { ioctl } for  pid=875 comm="gunicorn" path="/root/.ara/server/settings.yaml" dev="vda1" ino=397411 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1

This used to be addressed by shipping a selinux policy file but somehow got lost during the transition from ara-infra to ara.
@dmsimard dmsimard added bug ansible roles Related to the Ansible roles labels May 28, 2019
@dmsimard
Copy link
Contributor Author

Sent a patch to re-add the file back in: https://review.opendev.org/#/c/661808/

arecordsansible pushed a commit that referenced this issue Jun 4, 2019
Add missing selinux policy package for running gunicorn
9df768c 
Running gunicorn out of a virtualenv in a home directory requires
some extra selinux policies.

Fixes: #49
Change-Id: I027d148d846e7add391b28e805f67cbe312dcde0
@dmsimard dmsimard closed this as completed Jun 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ansible roles Related to the Ansible roles bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dmsimard