1150798 – SELinux: swift services denied search on /var/lib/swift/.local

Bug 1150798 - SELinux: swift services denied search on /var/lib/swift/.local

Summary: SELinux: swift services denied search on /var/lib/swift/.local

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-09 01:22 UTC by Richard Su
Modified:	2014-10-28 06:38 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.12.1-192.fc20
Clone Of:
Environment:
Last Closed:	2014-10-28 06:38:36 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
audit.log from control node (6.00 MB, text/plain) 2014-10-09 01:22 UTC, Richard Su	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1379081	0	None	None	None	Never

Description Richard Su 2014-10-09 01:22:03 UTC

Created attachment 945189 [details]
audit.log from control node

Description of problem:
Swift services are being denied search on /var/lib/swift/.local. The policy doesn't define a default file context for /var/lib/swift so it is currently labeled as 

drwxr-xr-x. swift      root       unconfined_u:object_r:var_lib_t:s0 swift

Version-Release number of selected component (if applicable):
openstack-swift-2.2.0.rc1.2-g7528f2b.fc20.noarch
openstack-swift-account-2.2.0.rc1.2-g7528f2b.fc20.noarch
openstack-swift-container-2.2.0.rc1.2-g7528f2b.fc20.noarch
openstack-swift-object-2.2.0.rc1.2-g7528f2b.fc20.noarch
openstack-swift-plugin-swift3-1.7-3.fc20.noarch
openstack-swift-proxy-2.2.0.rc1.2-g7528f2b.fc20.noarch
selinux-policy-3.12.1-183.fc20.noarch
selinux-policy-targeted-3.12.1-183.fc20.noarch

How reproducible:
always

Steps to Reproduce:
1. Deploy the overcloud using instack-undercloud.
2. Run instack-test-overcloud.

Actual results:
swift denials logged

Expected results:
no swift denials logged

Additional info:

type=AVC msg=audit(1412792989.946:750): avc:  denied  { search } for  pid=6226 comm="swift-container" name=".local" dev="sda1" ino=1016668 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1412792990.133:752): avc:  denied  { search } for  pid=6236 comm="swift-object-se" name=".local" dev="sda1" ino=1016668 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1412792990.329:754): avc:  denied  { search } for  pid=6241 comm="swift-object-au" name=".local" dev="sda1" ino=1016668 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1412792990.526:756): avc:  denied  { search } for  pid=6251 comm="swift-object-re" name=".local" dev="sda1" ino=1016668 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1412792990.706:758): avc:  denied  { search } for  pid=6261 comm="swift-object-up" name=".local" dev="sda1" ino=1016668 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0

Comment 1 Miroslav Grepl 2014-10-13 12:11:20 UTC

commit 0c0a0540fd09149697c095b0647c823908e62ac4
Author: Miroslav Grepl <mgrepl>
Date:   Mon Oct 13 14:10:44 2014 +0200

    Add support for /var/lib/swiftdirectory.

Comment 2 Fedora Update System 2014-10-22 11:52:46 UTC

selinux-policy-3.12.1-192.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-192.fc20

Comment 3 Fedora Update System 2014-10-23 06:23:43 UTC

Package selinux-policy-3.12.1-192.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-192.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13495/selinux-policy-3.12.1-192.fc20
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2014-10-28 06:38:36 UTC

selinux-policy-3.12.1-192.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.