[Rdo-list] Why is glance_api_can_network an selinux boolean?

Lars Kellogg-Stedman lars at redhat.com
Fri Mar 27 13:56:30 UTC 2015


Running `audit2allow -a` on my Fedora 21/RDO Juno system yields
several issues, but this one caught my eye:

  #!!!! This avc can be allowed using the boolean 'glance_api_can_network'
  allow glance_api_t keystone_port_t:tcp_socket name_connect;

Why is this a boolean?  In what scenario would glance *not* need to
connect to Keystone?

-- 
Lars Kellogg-Stedman <lars at redhat.com> | larsks @ {freenode,twitter,github}
Cloud Engineering / OpenStack          | http://blog.oddbit.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.rdoproject.org/pipermail/dev/attachments/20150327/88c21b68/attachment.sig>


More information about the dev mailing list