Bug 1193228 - [RFE] SELinux support for RGW
Summary: [RFE] SELinux support for RGW
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW
Version: 1.3.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 1.3.2
Assignee: Boris Ranto
QA Contact: Yuri Weinstein
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-16 22:29 UTC by Keith Schincke
Modified: 2017-07-30 15:57 UTC (History)
15 users (show)

Fixed In Version: ceph-0.94.5-3.el7cp
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-29 14:41:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0313 0 normal SHIPPED_LIVE Red Hat Ceph Storage 1.3.2 bug fix and enhancement update 2016-02-29 19:37:43 UTC

Description Keith Schincke 2015-02-16 22:29:53 UTC
Description of problem:
With Selinux in enforcing mode, httpd is denied access to the radosgw unix socket. 

Does the policy need to be updated or should the unix socket be relocated?

Version-Release number of selected component (if applicable):
RHEL 7.0 server
# rpm -qa  | egrep "radosgw|httpd|fastcgi|httpd|selinux"
mod_fastcgi-2.4.7-1.ceph.el7.x86_64
openstack-selinux-0.6.18-2.el7ost.noarch
libselinux-ruby-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.12.1-153.el7_0.13.noarch
libselinux-2.2.2-6.el7.x86_64
httpd-tools-2.4.6-19.el7_0.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
foreman-selinux-1.6.0.14-1.el7sat.noarch
selinux-policy-3.12.1-153.el7_0.13.noarch
ceph-radosgw-0.80.6-0.el7.x86_64
httpd-2.4.6-19.el7_0.x86_64
libselinux-python-2.2.2-6.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1. Configure radogw service
2. setenforce 1
3. Attempt to use resource. 

Actual results:
# getenforce
Enforcing
# python s3test.py 
Traceback (most recent call last):
  File "s3test.py", line 13, in <module>
    bucket = conn.create_bucket('my-new-bucket2')
  File "/usr/lib/python2.7/site-packages/boto/s3/connection.py", line 581, in create_bucket
    data=data)
  File "/usr/lib/python2.7/site-packages/boto/s3/connection.py", line 633, in make_request
    retry_handler=retry_handler
  File "/usr/lib/python2.7/site-packages/boto/connection.py", line 1030, in make_request
    retry_handler=retry_handler)
  File "/usr/lib/python2.7/site-packages/boto/connection.py", line 986, in _mexe
    raise BotoServerError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 500 Internal Server Error
None


Expected results:
# getenforce 
Permissive
[root@osp-cont-1 ~(openstack_admin)]# python s3test.py 
my-new-bucket	2015-02-16T17:09:10.000Z
my-new-bucket2	2015-02-16T17:18:39.000Z


Additional info:
Here are the results from ausearch:
# ausearch -m avc
----
time->Mon Feb 16 17:18:39 2015
type=SYSCALL msg=audit(1424107119.547:77987): arch=c000003e syscall=42 success=yes exit=0 a0=10 a1=7fc2b7dd3bb0 a2=31 a3=0 items=0 ppid=36484 pid=36490 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1424107119.547:77987): avc:  denied  { connectto } for  pid=36490 comm="httpd" path="/run/ceph/ceph.radosgw.gateway.fastcgi.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1424107119.547:77987): avc:  denied  { write } for  pid=36490 comm="httpd" name="ceph.radosgw.gateway.fastcgi.sock" dev="tmpfs" ino=52480240 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

Comment 3 Federico Lucifredi 2015-12-11 19:39:49 UTC
Hi Boris,
  SELinux is in the spotlight for 1.3.2... how are we looking?

Comment 4 Ken Dreyer (Red Hat) 2015-12-11 19:40:49 UTC
I think we're good, I checked private-branto-ceph-1.3-rhel-7 and radosgw is included there.

Comment 10 shilpa 2016-01-28 07:43:01 UTC
Tested RGW lifecycle with S3 and Swift. Didn't find any issues with selinux enforced. Verified

Comment 12 errata-xmlrpc 2016-02-29 14:41:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:0313


Note You need to log in before you can comment on or make changes to this bug.