openstack team mailing list archive

[Adam Young <ayoung@xxxxxxxxxx>]

Did a little digging into an audit log message we've been seeing 
specifically on Dashboard.

They look like this in audit.log

type=AVC msg=audit(1334860567.213:5184): avc:  denied  { execute } for  
pid=1910
3 comm="httpd" 
path=2F6465762F73686D2F6666694F337A6B4972202864656C6574656429 dev
=tmpfs ino=1281359 scontext=unconfined_u:system_r:httpd_t:s0 
tcontext=unconfined
_u:object_r:httpd_tmpfs_t:s0 tclass=file

And are a little clearer if you use

 sudo ausearch -i | grep denied

type=AVC msg=audit(04/19/2012 14:36:07.213:5184) : avc:  denied  { 
execute } for  pid=19103 comm=httpd path=/dev/shm/ffiO3zkIr (deleted) 
dev=tmpfs ino=1281359 scontext=unconfined_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_tmpfs_t:s0 tclass=file

Something in HTTPD is trying to generate code and then execute it by 
writing to a file.  We've traced that something down to the UUID 
generation code.  The standard UUID module makes a ctypes call, which 
does run time generation of Native stubs  in order to call into libuuid 
to actually generate the UUID.

While we are working with the Python maintainers to come up with long 
term fixes,  we probably want to come up with something short term.  We 
are going to generate an alternative UUID module,  probably named 
something along the lines of uuid_no_ctypes,  that will call into 
libuuid via pregenerated function stubs.  This module will be a copy of 
the uuid.py file from The upstream, with the absolute minimum of changes 
to avoid ctypes.

Once we've got this working,  all of the projects that use UUID should 
switch over...this is a good argument for putting that code into 
Openstack-common.  Keystone, Nova, and Quantum all import uuid.

None of the projects seem to be using ctypes directly.  However,  it is 
possible that we are using other third party libraries that, in turn, 
use ctypes.