+++ This bug was initially created as a clone of Bug #1652297 +++
Description of problem:
Running "swift-init container-sync once" throws this error:
Nov 21 14:59:14 ctrl01 container-server[1378]: Failed to update sync_store /srv/node/swiftloopback/containers/174991/f3f/aae3e64f909b58ab302a0fbb385eff3f/aae3e64f909b58ab302a0fbb385eff3f.db: #012Traceback (most recent call last):#012 File "/usr/lib/python2.7/site-packages/swift/container/replicator.py", line 194, in _post_replicate_hook#012 self.sync_store.update_sync_store(broker)#012 File "/usr/lib/python2.7/site-packages/swift/container/sync_store.py", line 159, in update_sync_store#012 self.add_synced_container(broker)#012 File "/usr/lib/python2.7/site-packages/swift/container/sync_store.py", line 81, in add_synced_container#012 raise oserr#012OSError: [Errno 13] Permission denied: '/srv/node/swiftloopback/sync_containers/174991/f3f/aae3e64f909b58ab302a0fbb385eff3f/aae3e64f909b58ab302a0fbb385eff3f.db'
Version-Release number of selected component (if applicable):
openstack-packstack-12.0.0-3.el7ost.noarch
openstack-packstack-puppet-12.0.0-3.el7ost.noarch
How reproducible:
Configure Container to Container and do synchronization
Steps to Reproduce:
1.
2.
3.
Actual results:
SELinux blocks link creation:
type=AVC msg=audit(1542830504.754:4792): avc: denied { read } for pid=1378 comm="swift-container" name="aae3e64f909b58ab302a0fbb385eff3f.db" dev="loop0" ino=20 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=lnk_file
Expected results:
Synchronization done correctly.
Additional info:
The missing rule is the following:
[root@ctrl01 ~(keystone_admin)]# tail -100 /var/log/audit/audit.log|audit2allow
#============= swift_t ==============
allow swift_t swift_data_t:lnk_file create;
--- Additional comment from Zoli Caplovic on 2018-11-28 16:59:54 UTC ---
Hello Alberto,
just for confirmation - the statement:
"The missing rule is the following: allow swift_t swift_data_t:lnk_file create;"
can be understood as "we need to add this rule and it will be working" or as "this seems to be the probable cause".
Thank you for the clarification
Zoli Caplovic
--- Additional comment from Alberto Gonzalez on 2018-11-28 17:02:59 UTC ---
Hello,
we need to add this rule and it will be working
--- Additional comment from Zoli Caplovic on 2018-11-28 17:06:35 UTC ---
Thanks Alberto for the clarification. Will work on adding the rule.
Zoli