Bug 1119151 - ceph traffic denied by selinux
Summary: ceph traffic denied by selinux
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 5.0 (RHEL 7)
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 5.0 (RHEL 7)
Assignee: Ryan Hallisey
QA Contact: Tzach Shefi
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-14 07:02 UTC by bkopilov
Modified: 2016-04-27 03:22 UTC (History)
8 users (show)

Fixed In Version: openstack-selinux-0.5.14-1.el7ost
Doc Type: Bug Fix
Doc Text:
In the previous release, SELinux prevented Ceph Storage from connecting to an unreserved port. As a result, Ceph was unable to receive traffic due to it being unable to connect to this port. The Image Service is now allowed to connect to all TCP ports; Ceph is allowed to connect to the unreserved port and receive incoming traffic.
Clone Of:
Last Closed: 2014-07-24 17:23:44 UTC

Attachments (Terms of Use)
audit.log file (4.31 MB, text/plain)
2014-07-15 14:17 UTC, bkopilov
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:0937 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Bug Fix and Enhancement Advisory 2014-07-24 21:21:56 UTC

Description bkopilov 2014-07-14 07:02:48 UTC
Description of problem:

Openstack all in one , installed on rhel 7.0
ceph used as backend .
When ceph configured as glance backend , selinux denies the traffic .

type=AVC msg=audit(1405288494.951:22438): avc:  denied  { name_connect } for  pid=30974 comm="glance-api" dest=6800 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):

How reproducible:
Configure ceph backend for glance

SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket .

*****  Plugin connect_ports (99.5 confidence) suggests   *********************

If you want to allow /usr/bin/python2.7 to connect to network port 6800
Then you need to modify the port type.
# semanage port -a -t PORT_TYPE -p tcp 6800
    where PORT_TYPE is one of the following: amqp_port_t, certmaster_port_t, cluster_port_t, commplex_main_port_t, cyphesis_port_t, dns_port_t, dnssec_port_t, ephemeral_port_t, gear_port_t, glance_registry_port_t, gluster_port_t, hadoop_datanode_port_t, hplip_port_t, http_cache_port_t, http_port_t, keystone_port_t, matahari_port_t, mysqld_port_t, postgrey_port_t, virt_migration_port_t.

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that python2.7 should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep glance-api /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:glance_api_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        glance-api
Source Path                   /usr/bin/python2.7
Port                          6800
Host                          <Unknown>
Source RPM Packages           python-2.7.5-11.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-158.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     yrabl-fedora.tlv.redhat.com
Platform                      Linux yrabl-fedora.tlv.redhat.com
                              3.14.2-200.fc20.x86_64 #1 SMP Mon Apr 28 14:40:57
                              UTC 2014 x86_64 x86_64
Alert Count                   2030
First Seen                    2014-07-14 00:54:54 IDT
Last Seen                     2014-07-14 02:19:24 IDT
Local ID                      774f6249-50d2-4cc8-9cfa-f9b05429b3e1

Raw Audit Messages
type=AVC msg=audit(1405293564.622:37962): avc:  denied  { name_connect } for  pid=28641 comm="glance-api" dest=6800 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1405293564.622:37962): arch=x86_64 syscall=connect success=no exit=EACCES a0=9 a1=3ddd040 a2=10 a3=0 items=0 ppid=24406 pid=28641 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-api exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null)

Hash: glance-api,glance_api_t,unreserved_port_t,tcp_socket,name_connect

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 2 Lon Hohberger 2014-07-15 14:11:06 UTC
In order to best solve this, please:

1) Use RHEL 7 packages.  Fedora has a different selinux-policy 
   package (If you are using RHEL7, why are the packages having
   .fc20 dist tag?)

2) switch to permissive on the affected system (setenforce 0)

3) run a full test (including access of files) with the system in
   * note that access to files on ceph itself is outside
     the scope of openstack-selinux.  It requires specific
     labelling by the administrator for whatever application
     will use it; if it's glance, perhaps we simply need to 
     mount it in the right place and 'restorecon -Rv' on the

4) Attach the entire /var/log/audit/audit.log.

This will prevent a lot of back-and-forth about the AVCs.

Comment 3 bkopilov 2014-07-15 14:17:20 UTC
Created attachment 918181 [details]
audit.log file

Comment 4 Ryan Hallisey 2014-07-15 15:18:01 UTC

Assuming glance_api_t will need to connect to many different ports then I'll add the above rule.

Comment 8 Tzach Shefi 2014-07-22 13:05:11 UTC
Verified on:

Glance configured with CEPH backend, images uploaded. 
No AVCs found on audit.log

Comment 10 errata-xmlrpc 2014-07-24 17:23:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.