1095503 – swift object, container, and account server services fail to startup when selinux is in enforcing mode

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1095503 - swift object, container, and account server services fail to startup when selinux is in enforcing mode

Summary: swift object, container, and account server services fail to startup when sel...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-puppet-modules
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Lukas Bezdicka
QA Contact:	Dafna Ron
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-07 21:22 UTC by Richard Su
Modified:	2016-04-26 22:40 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openstack-puppet-modules-2014.1-20.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-15 09:29:34 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
audit.log from packstack install (4.17 MB, text/x-log) 2014-05-07 21:22 UTC, Richard Su	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	94172	0	None	None	None	Never
OpenStack gerrit	97195	0	None	None	None	Never

Description Richard Su 2014-05-07 21:22:38 UTC

Created attachment 893470 [details]
audit.log from packstack install

Description of problem:
These services fail to start up when selinux is in enforcing mode
openstack-swift-account.service
openstack-swift-container.service
openstack-swift-object.service

One of the issues is the services are denied access to bind to ports 6000, 6001, and 6002.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-158.fc20.noarch
openstack-swift-account-1.13.1-1.fc21.noarch
openstack-swift-container-1.13.1-1.fc21.noarch
openstack-swift-object-1.13.1-1.fc21.noarch

How reproducible:
always

Steps to Reproduce:
1. check selinux is in enforcing mode
2. install packstack with swift turned on

Actual results:
swift services fail to startup

Expected results:
swift services start up

Additional info:
From /var/log/audit/audit.log
type=AVC msg=audit(1399496981.232:11466): avc:  denied  { write } for  pid=3911 comm="rsync" name="lock" dev="tmpfs" ino=6469 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1399496981.249:11467): avc:  denied  { write } for  pid=3919 comm="rsync" name="lock" dev="tmpfs" ino=6469 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1399496981.274:11468): avc:  denied  { write } for  pid=3927 comm="rsync" name="lock" dev="tmpfs" ino=6469 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1399496998.327:11598): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497001.164:11628): avc:  denied  { getattr } for  pid=4660 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497001.167:11629): avc:  denied  { getattr } for  pid=4661 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497001.903:11637): avc:  denied  { name_bind } for  pid=4746 comm="swift-container" src=6001 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1399497010.650:11719): avc:  denied  { name_bind } for  pid=5096 comm="swift-account-s" src=6002 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1399497011.080:11722): avc:  denied  { name_bind } for  pid=5193 comm="swift-object-se" src=6000 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1399497011.445:11725): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497028.355:11880): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497031.254:11959): avc:  denied  { getattr } for  pid=6270 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497031.255:11960): avc:  denied  { getattr } for  pid=6269 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497034.938:11987): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497041.491:12142): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497058.380:12382): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497061.331:12411): avc:  denied  { getattr } for  pid=7756 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497061.333:12412): avc:  denied  { getattr } for  pid=7757 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497061.356:12413): avc:  denied  { getattr } for  pid=7758 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497064.968:12496): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497071.524:12497): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497088.405:12498): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497091.409:12499): avc:  denied  { getattr } for  pid=7839 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497091.412:12500): avc:  denied  { getattr } for  pid=7840 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497094.998:12501): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497101.555:12502): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497118.434:12503): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497121.484:12507): avc:  denied  { getattr } for  pid=7871 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497121.487:12508): avc:  denied  { getattr } for  pid=7872 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497125.027:12516): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497131.586:12517): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497148.464:12518): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497151.553:12519): avc:  denied  { getattr } for  pid=7910 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497151.556:12520): avc:  denied  { getattr } for  pid=7911 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497155.056:12521): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497161.618:12522): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497178.494:12523): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497181.608:12534): avc:  denied  { getattr } for  pid=7932 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497181.608:12535): avc:  denied  { getattr } for  pid=7933 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497181.631:12536): avc:  denied  { getattr } for  pid=7934 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497185.086:12537): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497191.647:12538): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497208.520:12539): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497211.680:12540): avc:  denied  { getattr } for  pid=7956 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497211.682:12541): avc:  denied  { getattr } for  pid=7957 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497214.048:12542): avc:  denied  { getattr } for  pid=4687 comm="swift-object-up" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497215.115:12543): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497221.679:12544): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497238.550:12545): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497241.742:12554): avc:  denied  { getattr } for  pid=7975 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497241.745:12555): avc:  denied  { getattr } for  pid=7976 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497241.796:12556): avc:  denied  { getattr } for  pid=7981 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497245.145:12559): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497251.709:12560): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497268.578:12561): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497271.840:12562): avc:  denied  { getattr } for  pid=8011 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497271.844:12563): avc:  denied  { getattr } for  pid=8012 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497275.171:12564): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497281.740:12565): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497298.606:12566): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497301.256:12570): avc:  denied  { search } for  pid=5312 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497301.909:12571): avc:  denied  { getattr } for  pid=8023 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497301.911:12572): avc:  denied  { getattr } for  pid=8024 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497301.938:12573): avc:  denied  { getattr } for  pid=8025 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497305.202:12581): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497311.771:12582): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497328.630:12583): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497331.994:12584): avc:  denied  { getattr } for  pid=8044 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497331.994:12585): avc:  denied  { getattr } for  pid=8045 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497332.018:12586): avc:  denied  { getattr } for  pid=8046 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497335.227:12587): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497341.803:12588): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497358.660:12589): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497362.073:12600): avc:  denied  { getattr } for  pid=8068 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497362.076:12601): avc:  denied  { getattr } for  pid=8069 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497362.106:12602): avc:  denied  { getattr } for  pid=8070 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497365.257:12603): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497371.833:12604): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497388.690:12605): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497392.157:12606): avc:  denied  { getattr } for  pid=8094 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497392.160:12607): avc:  denied  { getattr } for  pid=8095 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497392.189:12608): avc:  denied  { getattr } for  pid=8096 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497395.287:12609): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497401.865:12610): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497418.720:12611): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497422.240:12622): avc:  denied  { getattr } for  pid=8151 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497422.243:12623): avc:  denied  { getattr } for  pid=8152 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497425.316:12624): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497431.897:12625): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497448.750:12626): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497452.308:12627): avc:  denied  { getattr } for  pid=8178 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497452.310:12628): avc:  denied  { getattr } for  pid=8179 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497455.345:12629): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497461.929:12630): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497478.780:12631): avc:  denied  { search } for  pid=4369 comm="swift-container" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497482.368:12642): avc:  denied  { getattr } for  pid=8200 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497482.368:12643): avc:  denied  { getattr } for  pid=8201 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497482.392:12644): avc:  denied  { getattr } for  pid=8202 comm="swift-object-au" path="/srv/node/device1" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497485.369:12645): avc:  denied  { search } for  pid=5037 comm="swift-account-r" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1399497491.958:12646): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir

Comment 1 Richard Su 2014-05-07 21:39:29 UTC

Related to the swift selinux issues found in https://bugzilla.redhat.com/show_bug.cgi?id=1084310

We can't use ports 6000-6002 because those are reserved for xserver. One suggestion is to change the config files to use different ports, 6201-6203.

Comment 2 Derek Higgins 2014-05-08 00:03:56 UTC

There is some selinux trickery going on to allow keystone and the docker-registry to both use port 5000, I wonder could this also apply here?

Comment 3 Lukas Bezdicka 2014-05-19 11:25:30 UTC

Most of these is :

type=AVC msg=audit(1399497491.958:12646): avc:  denied  { search } for  pid=5253 comm="swift-object-re" name="/" dev="loop1" ino=2 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir

so let's focus on that in this ticket.

Comment 4 Richard Su 2014-05-22 01:51:47 UTC

Hi Lukas,

Thanks. But what about the name_bind errors? They were my primary concerns when I opened this bug.

type=AVC msg=audit(1399497001.903:11637): avc:  denied  { name_bind } for  pid=4746 comm="swift-container" src=6001 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1399497010.650:11719): avc:  denied  { name_bind } for  pid=5096 comm="swift-account-s" src=6002 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1399497011.080:11722): avc:  denied  { name_bind } for  pid=5193 comm="swift-object-se" src=6000 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket

Comment 5 Miroslav Grepl 2014-05-22 07:40:27 UTC

I thought it was going to be changed? AFAIK there is a bug for this issue.

Comment 6 Lukas Bezdicka 2014-05-22 08:18:49 UTC

There is specifically bug for swift port choice, I think it's bug: #1084310 and also I think we should have separate bug for this as this is upstream/redhat change of ports vs puppet issue with mounting and breaking selinuc context on /srv/node/device1

Note You need to log in before you can comment on or make changes to this bug.