Description of problem: With Selinux in enforcing mode, httpd is denied access to the radosgw unix socket. Does the policy need to be updated or should the unix socket be relocated? Version-Release number of selected component (if applicable): RHEL 7.0 server # rpm -qa | egrep "radosgw|httpd|fastcgi|httpd|selinux" mod_fastcgi-2.4.7-1.ceph.el7.x86_64 openstack-selinux-0.6.18-2.el7ost.noarch libselinux-ruby-2.2.2-6.el7.x86_64 selinux-policy-targeted-3.12.1-153.el7_0.13.noarch libselinux-2.2.2-6.el7.x86_64 httpd-tools-2.4.6-19.el7_0.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 foreman-selinux-1.6.0.14-1.el7sat.noarch selinux-policy-3.12.1-153.el7_0.13.noarch ceph-radosgw-0.80.6-0.el7.x86_64 httpd-2.4.6-19.el7_0.x86_64 libselinux-python-2.2.2-6.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Configure radogw service 2. setenforce 1 3. Attempt to use resource. Actual results: # getenforce Enforcing # python s3test.py Traceback (most recent call last): File "s3test.py", line 13, in <module> bucket = conn.create_bucket('my-new-bucket2') File "/usr/lib/python2.7/site-packages/boto/s3/connection.py", line 581, in create_bucket data=data) File "/usr/lib/python2.7/site-packages/boto/s3/connection.py", line 633, in make_request retry_handler=retry_handler File "/usr/lib/python2.7/site-packages/boto/connection.py", line 1030, in make_request retry_handler=retry_handler) File "/usr/lib/python2.7/site-packages/boto/connection.py", line 986, in _mexe raise BotoServerError(response.status, response.reason, body) boto.exception.BotoServerError: BotoServerError: 500 Internal Server Error None Expected results: # getenforce Permissive [root@osp-cont-1 ~(openstack_admin)]# python s3test.py my-new-bucket 2015-02-16T17:09:10.000Z my-new-bucket2 2015-02-16T17:18:39.000Z Additional info: Here are the results from ausearch: # ausearch -m avc ---- time->Mon Feb 16 17:18:39 2015 type=SYSCALL msg=audit(1424107119.547:77987): arch=c000003e syscall=42 success=yes exit=0 a0=10 a1=7fc2b7dd3bb0 a2=31 a3=0 items=0 ppid=36484 pid=36490 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1424107119.547:77987): avc: denied { connectto } for pid=36490 comm="httpd" path="/run/ceph/ceph.radosgw.gateway.fastcgi.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1424107119.547:77987): avc: denied { write } for pid=36490 comm="httpd" name="ceph.radosgw.gateway.fastcgi.sock" dev="tmpfs" ino=52480240 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
Hi Boris, SELinux is in the spotlight for 1.3.2... how are we looking?
I think we're good, I checked private-branto-ceph-1.3-rhel-7 and radosgw is included there.
Tested RGW lifecycle with S3 and Swift. Didn't find any issues with selinux enforced. Verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:0313