| Summary: | Missing Selinux policy to talk with Memcache | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Federico Iezzi <fiezzi> | |
| Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | |
| Status: | CLOSED ERRATA | QA Contact: | Mike Burns <mburns> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.0 (Kilo) | CC: | dbecker, lhh, mburns, mgrepl, morazi, rhel-osp-director-maint, srevivo | |
| Target Milestone: | async | Keywords: | Triaged, ZStream | |
| Target Release: | 8.0 (Liberty) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-selinux-0.7.3-1.el7ost | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1327681 (view as bug list) | Environment: | ||
| Last Closed: | 2016-11-14 19:44:39 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1327681 | |||
Package shipped and bug verified in OSP 9 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2708.html |
Description of problem: Hello there, On a customer implementation has been used Memcache as Token Backend in Keystone. The current SELinux polices (openstack-selinux-0.6.55-1.el7ost.noarch) prevent the communication. Below the logs: type=AVC msg=audit(1460720246.797:113659): avc: denied { name_connect } for pid=14974 comm="keystone-all" dest=11211 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1460720246.797:113659): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7ffca7854cb0 a2=10 a3=1 items=0 ppid=14904 pid=14974 auid=4294967295 uid=163 gid=163 euid=163 suid=163 fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295 comm="keystone-all" exe="/usr/bin/python2.7" subj=system_u:system_r:keystone_t:s0 key=(null) Version-Release number of selected component (if applicable): RHEL-OSP 7.3 How reproducible: - needs to have an up and running openstack setup - (if not present) install: - memcached - python-memcached - python-pymemcache - update the following parameters in the keystone config [token] driver = keystone.token.persistence.backends.memcache_pool.Token caching = True [memcache] servers = 127.0.0.1:11211 #or anyway your local or remote memcache server [cache] [cache] backend = dogpile.cache.memcached enabled = True debug_cache_backend = False Steps to Reproduce: 1. 2. 3. Actual results: Selinux prevent the communication Expected results: a correct keystone <-> memcache communication Additional info: