Description of problem: Due to conflict with X server, we're relocating Swift to the 62xx block. We need SElinux to match. Version-Release number of selected component (if applicable): selinux-policy-3.12.1-166.fc20 Steps to Reproduce: 1. yum install openstack-swift 2. run swift-ring-builder per manual, etc. basically make sure that Swift can start normally 3. systemctl start openstack-swift-object I am informed that "swift-init main start" will not work under SElinux Enforcing mode even if ports are set correctly. Must use systemctl. Actual results: type=AVC msg=audit(1399497011.080:11722): avc: denied { name_bind } for pid=5193 comm="swift-object-se" src=6000 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket <==== only could be 6200 for "new" openstack-swift Expected results: no fault Additional info: See Lon's comment on bug 1107907 about the selinux-policy upstream. Note that 6200 is not upstream in Openstack Swift (maybe not yet, but for now they explicitly refuset to move away from 6000, because it's easily configurable in case of conflict). Therefore, the whatever upstream for SElinux is, it should not move just yet. This bug is thus a request for Fedora-specific fork.
First build with port 6200 is openstack-swift-1.13.1-4.fc21
commit b93806b73ec20186fc926946f1c616ff5e1f678e Author: Miroslav Grepl <mgrepl> Date: Wed Jun 25 10:32:05 2014 +0200 Allow swift to use tcp/6200 swift port
Created attachment 912341 [details] audit.log using selinux-policy-targeted-3.13.1-62.fc21.noarch and openstack-swift-1.13.1-4.fc21.noarch
I added only tcp/6200 :(. See the first comment.
So we need to label 6000 to 6200 range, right?
Or 6200-6203?
It's 6200-6202: 3 ports. The old policy is supposed to have something that allows Swift to listen on 6000-6002. That would be no longer necessary.
I've tested the swift packages with selinux-policy-targeted-3.12.1-173.fc20.noarch. The name_bind errors are still, this time they are just classified differently, from being on unreserved_port_t to swift_port_t. audit.log:type=AVC msg=audit(1403800821.340:165): avc: denied { name_bind } for pid=4546 comm="swift-account-s" src=6202 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_port_t:s0 tclass=tcp_socket audit.log:type=AVC msg=audit(1403800822.067:172): avc: denied { name_bind } for pid=4576 comm="swift-container" src=6201 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_port_t:s0 tclass=tcp_socket audit.log:type=AVC msg=audit(1403800822.533:175): avc: denied { name_bind } for pid=4613 comm="swift-object-se" src=6200 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_port_t:s0 tclass=tcp_socket I'm also seeing name_connect errors. on ports 6202 and 6201. Can you look at those and see if the problem also applies to port 6200?: type=AVC msg=audit(1403803945.341:876): avc: denied { name_connect } for pid=4678 comm="swift-container" dest=6202 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1403803954.300:892): avc: denied { name_connect } for pid=4692 comm="swift-object-se" dest=6201 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_port_t:s0 tclass=tcp_socket
Created attachment 912604 [details] audit.log name_bind errors with selinux-policy-targeted-3.12.1-173.fc20.noarch
Created attachment 912605 [details] audit.log name_connect errors with selinux-policy-targeted-3.12.1-173.fc20.noarch
Created attachment 912606 [details] output from ps -efZ
(In reply to Richard Su from comment #11) > I've tested the swift packages with > selinux-policy-targeted-3.12.1-173.fc20.noarch. The name_bind errors are > still, this time they are just classified differently, from being on > unreserved_port_t to swift_port_t. > > audit.log:type=AVC msg=audit(1403800821.340:165): avc: denied { name_bind > } for pid=4546 comm="swift-account-s" src=6202 > scontext=system_u:system_r:swift_t:s0 > tcontext=system_u:object_r:swift_port_t:s0 tclass=tcp_socket > audit.log:type=AVC msg=audit(1403800822.067:172): avc: denied { name_bind > } for pid=4576 comm="swift-container" src=6201 > scontext=system_u:system_r:swift_t:s0 > tcontext=system_u:object_r:swift_port_t:s0 tclass=tcp_socket > audit.log:type=AVC msg=audit(1403800822.533:175): avc: denied { name_bind > } for pid=4613 comm="swift-object-se" src=6200 > scontext=system_u:system_r:swift_t:s0 > tcontext=system_u:object_r:swift_port_t:s0 tclass=tcp_socket > > I'm also seeing name_connect errors. on ports 6202 and 6201. Can you look at > those and see if the problem also applies to port 6200?: > > type=AVC msg=audit(1403803945.341:876): avc: denied { name_connect } for > pid=4678 comm="swift-container" dest=6202 > scontext=system_u:system_r:swift_t:s0 > tcontext=system_u:object_r:swift_port_t:s0 tclass=tcp_socket > type=AVC msg=audit(1403803954.300:892): avc: denied { name_connect } for > pid=4692 comm="swift-object-se" dest=6201 > scontext=system_u:system_r:swift_t:s0 > tcontext=system_u:object_r:swift_port_t:s0 tclass=tcp_socket We allow it in rawhide. Back porting.
Miroslav, The errors in comment #11 have been fixed with selinux-policy-targeted-3.12.1-174.fc20. I found two errors today, one for keystone admin port 35357 and another to memcache port 11211. audit.log:type=AVC msg=audit(1403894129.049:694): avc: denied { name_connect } for pid=4434 comm="swift-proxy-ser" dest=35357 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket audit.log:type=AVC msg=audit(1403894129.051:695): avc: denied { name_connect } for pid=4434 comm="swift-proxy-ser" dest=11211 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket There were listed in comment #4 too, so maybe they somehow crawled back in with the back port. Please provide a package update for these too. Thanks.
Created attachment 912937 [details] audit.log for name_connect to keystone and memcache
Ok the problem is different. We added labeling for swift-proxy-server and now we are getting these issues. Btw. It can be allowed also by #!!!! This avc can be allowed using the boolean 'swift_can_network' allow swift_t keystone_port_t:tcp_socket name_connect; #!!!! This avc can be allowed using the boolean 'swift_can_network' allow swift_t memcache_port_t:tcp_socket name_connect;
commit d360db841bdefd19634e32f3200eba9d47d69168 Author: Miroslav Grepl <mgrepl> Date: Fri Jun 27 22:33:46 2014 +0200 Allow swift to connect to keystone and memcache ports. Also added to F20.
I have confirmed the keystone and memcache issues have been fixed with selinux-policy-3.12.1-175.fc20. Thanks!
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
selinux-policy-3.13.1-116.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-116.fc22
Package selinux-policy-3.13.1-116.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-116.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-3508/selinux-policy-3.13.1-116.fc22 then log in and leave karma (feedback).
selinux-policy-3.13.1-116.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.