Bug 1106330

Summary: selinux prevents swift-container from connecting to TCP port 6002
Product: Red Hat Enterprise Linux 7 Reporter: Giulio Fidente <gfidente>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0CC: gfidente, lhh, mgrepl, mmalik, nlevinki, rhallise, tkammer, yeylon
Target Milestone: beta   
Target Release: 7.0   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1109087 (view as bug list) Environment:
Last Closed: 2015-03-05 10:39:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1109087, 1111271    
Attachments:
Description Flags
AVC messages from audit.log none

Description Giulio Fidente 2014-06-09 05:46:52 UTC 
Description of problem:
on rhel7, when user attempts to create a container the operation initially _seems_ to succeed but the swift-container is blocked by selinux from connecting to TCP port 6002 during the process

the audit.log prints the following:

type=AVC msg=audit(1402292494.533:664): avc:  denied  { name_connect } for  pid=2593 comm="swift-container" dest=6002 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch
selinux-policy-3.12.1-153.el7_0.10.noarch
Comment 2 Giulio Fidente 2014-06-09 15:49:09 UTC 
Created attachment 904770 [details]
AVC messages from audit.log
Comment 3 Lon Hohberger 2014-06-09 22:02:17 UTC 
To start with, rsync_full_access needs to be set:

# setsebool -P rsync_full_access 1

This part needs to be fixed in staypuft.
Comment 5 Lon Hohberger 2014-06-10 14:20:56 UTC 
Ports 6000, 6001, 6002 are all used by Swift.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Installation_and_Configuration_Guide/Configuring_the_Object_Storage_Service_Storage_Nodes.html

So, these should be allowed.
Comment 6 Miroslav Grepl 2014-06-11 08:56:05 UTC 
I added fixes to Fedora/RHEL7.1
Comment 18 errata-xmlrpc 2015-03-05 10:39:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html