Bug 1193228

Summary: [RFE] SELinux support for RGW
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Keith Schincke <kschinck>
Component: RGWAssignee: Boris Ranto <branto>
Status: CLOSED ERRATA QA Contact: Yuri Weinstein <yweinste>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.3.1CC: branto, cbodley, ceph-eng-bugs, flucifre, hnallurv, kbader, kdreyer, mbenjamin, mbroz, nlevine, owasserm, smanjara, steve_hand, sweil, vumrao
Target Milestone: rcKeywords: FutureFeature
Target Release: 1.3.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-0.94.5-3.el7cp Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-29 14:41:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Keith Schincke 2015-02-16 22:29:53 UTC 
Description of problem:
With Selinux in enforcing mode, httpd is denied access to the radosgw unix socket. 

Does the policy need to be updated or should the unix socket be relocated?

Version-Release number of selected component (if applicable):
RHEL 7.0 server
# rpm -qa  | egrep "radosgw|httpd|fastcgi|httpd|selinux"
mod_fastcgi-2.4.7-1.ceph.el7.x86_64
openstack-selinux-0.6.18-2.el7ost.noarch
libselinux-ruby-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.12.1-153.el7_0.13.noarch
libselinux-2.2.2-6.el7.x86_64
httpd-tools-2.4.6-19.el7_0.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
foreman-selinux-1.6.0.14-1.el7sat.noarch
selinux-policy-3.12.1-153.el7_0.13.noarch
ceph-radosgw-0.80.6-0.el7.x86_64
httpd-2.4.6-19.el7_0.x86_64
libselinux-python-2.2.2-6.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1. Configure radogw service
2. setenforce 1
3. Attempt to use resource. 

Actual results:
# getenforce
Enforcing
# python s3test.py 
Traceback (most recent call last):
  File "s3test.py", line 13, in <module>
    bucket = conn.create_bucket('my-new-bucket2')
  File "/usr/lib/python2.7/site-packages/boto/s3/connection.py", line 581, in create_bucket
    data=data)
  File "/usr/lib/python2.7/site-packages/boto/s3/connection.py", line 633, in make_request
    retry_handler=retry_handler
  File "/usr/lib/python2.7/site-packages/boto/connection.py", line 1030, in make_request
    retry_handler=retry_handler)
  File "/usr/lib/python2.7/site-packages/boto/connection.py", line 986, in _mexe
    raise BotoServerError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 500 Internal Server Error
None


Expected results:
# getenforce 
Permissive
[root@osp-cont-1 ~(openstack_admin)]# python s3test.py 
my-new-bucket	2015-02-16T17:09:10.000Z
my-new-bucket2	2015-02-16T17:18:39.000Z


Additional info:
Here are the results from ausearch:
# ausearch -m avc
----
time->Mon Feb 16 17:18:39 2015
type=SYSCALL msg=audit(1424107119.547:77987): arch=c000003e syscall=42 success=yes exit=0 a0=10 a1=7fc2b7dd3bb0 a2=31 a3=0 items=0 ppid=36484 pid=36490 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1424107119.547:77987): avc:  denied  { connectto } for  pid=36490 comm="httpd" path="/run/ceph/ceph.radosgw.gateway.fastcgi.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1424107119.547:77987): avc:  denied  { write } for  pid=36490 comm="httpd" name="ceph.radosgw.gateway.fastcgi.sock" dev="tmpfs" ino=52480240 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
Comment 3 Federico Lucifredi 2015-12-11 19:39:49 UTC 
Hi Boris,
  SELinux is in the spotlight for 1.3.2... how are we looking?
Comment 4 Ken Dreyer (Red Hat) 2015-12-11 19:40:49 UTC 
I think we're good, I checked private-branto-ceph-1.3-rhel-7 and radosgw is included there.
Comment 10 shilpa 2016-01-28 07:43:01 UTC 
Tested RGW lifecycle with S3 and Swift. Didn't find any issues with selinux enforced. Verified
Comment 12 errata-xmlrpc 2016-02-29 14:41:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:0313