On Thu, Apr 19, 2012 at 11:53 AM, Adam Young <ayoung@xxxxxxxxxx
<mailto:ayoung@xxxxxxxxxx>> wrote:
Did a little digging into an audit log message we've been seeing
specifically on Dashboard.
They look like this in audit.log
type=AVC msg=audit(1334860567.213:5184): avc: denied { execute }
for pid=1910
3 comm="httpd"
path=2F6465762F73686D2F6666694F337A6B4972202864656C6574656429 dev
=tmpfs ino=1281359 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined
_u:object_r:httpd_tmpfs_t:s0 tclass=file
And are a little clearer if you use
sudo ausearch -i | grep denied
type=AVC msg=audit(04/19/2012 14:36:07.213:5184) : avc: denied {
execute } for pid=19103 comm=httpd path=/dev/shm/ffiO3zkIr
(deleted) dev=tmpfs ino=1281359
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_tmpfs_t:s0 tclass=file
Something in HTTPD is trying to generate code and then execute it
by writing to a file. We've traced that something down to the
UUID generation code. The standard UUID module makes a ctypes
call, which does run time generation of Native stubs in order to
call into libuuid to actually generate the UUID.
While we are working with the Python maintainers to come up with
long term fixes, we probably want to come up with something short
term. We are going to generate an alternative UUID module,
probably named something along the lines of uuid_no_ctypes, that
will call into libuuid via pregenerated function stubs. This
module will be a copy of the uuid.py file from The upstream, with
the absolute minimum of changes to avoid ctypes.
Once we've got this working, all of the projects that use UUID
should switch over...this is a good argument for putting that code
into Openstack-common. Keystone, Nova, and Quantum all import uuid.
None of the projects seem to be using ctypes directly. However,
it is possible that we are using other third party libraries
that, in turn, use ctypes.
_______________________________________________
Mailing list: https://launchpad.net/~openstack
<https://launchpad.net/%7Eopenstack>
Post to : openstack@xxxxxxxxxxxxxxxxxxx
<mailto:openstack@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~openstack
<https://launchpad.net/%7Eopenstack>
More help : https://help.launchpad.net/ListHelp