Bug 1302312 - RHOS 7.3 selinux blocks swift replications
Summary: RHOS 7.3 selinux blocks swift replications
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ga
: 7.0 (Kilo)
Assignee: Ryan Hallisey
QA Contact: Leonid Natapov
URL:
Whiteboard:
: 1235710 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-27 13:14 UTC by Asaf Hirshberg
Modified: 2017-01-13 16:35 UTC (History)
12 users (show)

Fixed In Version: openstack-selinux-0.6.55-1.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-10 17:06:31 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0437 0 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform 7 Bug Fix and Enhancement Advisory 2016-03-10 22:05:30 UTC

Description Asaf Hirshberg 2016-01-27 13:14:47 UTC 
Description of problem:

Jan 27 05:11:28 localhost object-server: Error syncing with node: {'index': 0, 'replication_port': 6000, 'weight': 100.0, 'zone': 1, 'ip': 'fd00:fd00:fd00:4000::12', 'region': 1, 'id': 0, 'replication_ip': 'fd00:fd00:fd00:4000::12', 'meta': u'', 'device': 'd1', 'port': 6000}: #012Traceback (most recent call last):#012  File "/usr/lib/python2.7/site-packages/swift/obj/replicator.py", line 377, in update#012    success, _junk = self.sync(node, job, suffixes)#012  File "/usr/lib/python2.7/site-packages/swift/obj/replicator.py", line 111, in sync#012    return self.sync_method(node, job, suffixes, *args, **kwargs)#012  File "/usr/lib/python2.7/site-packages/swift/obj/replicator.py", line 203, in rsync#012    return self._rsync(args) == 0, {}#012  File "/usr/lib/python2.7/site-packages/swift/obj/replicator.py", line 135, in _rsync#012    stderr=subprocess.STDOUT)#012  File "/usr/lib/python2.7/site-packages/eventlet/green/subprocess.py", line 53, in __init__#012    subprocess_orig!
 .Popen.__init__(self, args, 0, *argss, **kwds)#012  File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__#012    errread, errwrite)#012  File "/usr/lib64/python2.7/subprocess.py", line 1327, in _execute_child#012    raise child_exception#012OSError: [Errno 13] Permission denied


from /var/log/audit:

/var/log/audit/audit.log.1:18566:type=AVC msg=audit(1453889488.386:89570): avc:  denied  { execute } for  pid=8553 comm="swift-object-re" name="rsync" dev="sda2" ino=2006949 scontext=system_u:system_r:swift_t:s0 tcontext=unconfined_u:object_r:rsync_exec_t:s0 tclass=file
/var/log/audit/audit.log.1:18896:type=AVC msg=audit(1453889519.319:89753): avc:  denied  { execute } for  pid=10332 comm="swift-object-re" name="rsync" dev="sda2" ino=2006949 scontext=system_u:system_r:swift_t:s0 tcontext=unconfined_u:object_r:rsync_exec_t:s0 tclass=file
/var/log/audit/audit.log.1:20781:type=AVC msg=audit(1453889611.505:90723): avc:  denied  { execute } for  pid=17526 comm="swift-object-re" name="rsync" dev="sda2" ino=2006949 scontext=system_u:system_r:swift_t:s0 tcontext=unconfined_u:object_r:rsync_exec_t:s0 tclass=file
/var/log/audit/audit.log.1:21141:type=AVC msg=audit(1453889642.930:90916): avc:  denied  { execute } for  pid=19499 comm="swift-object-re" name="rsync" dev="sda2" ino=2006949 scontext=system_u:system_r:swift_t:s0 tcontext=unconfined_u:object_r:rsync_exec_t:s0 tclass=file
/var/log/audit/audit.log:8465:type=AVC msg=audit(1453897175.179:101020): avc:  denied


Version-Release number of selected component (if applicable):
7.0-RHEL-7-director/2016-01-22.1
python-tempest-lib-0.5.0-1.el7ost.noarch
openstack-tempest-kilo-20151020.1.el7ost.noarch
Comment 2 Ryan Hallisey 2016-01-27 14:36:40 UTC 
Can you run this in permissive and report back the AVCs you get?  This could require a transition depending if there are a lot of related AVC returned.  If there arn't any more, I can just add the one allow rule.

$ setenforce 0
run tests
$ cat /var/log/audit/audit.log | grep AVC
Comment 5 Ryan Hallisey 2016-02-03 09:38:49 UTC 
Asaf can you capture the AVCs in a text doc?  I don't use jenkins a whole lot so I don't know where I can find the AVCs within those results.
Comment 8 Ryan Hallisey 2016-02-23 14:19:29 UTC 
Try this policy. It's based on the only rule I have here. I'm not too confident it will work, but there's a chance.
Comment 9 Lon Hohberger 2016-02-25 15:27:32 UTC 
Does this cause deployment failures?
Comment 13 Leonid Natapov 2016-03-03 12:53:12 UTC 
ospd 7.3 with openstack-selinux-0.6.55-1.el7ost. no errors from swift.
Comment 15 errata-xmlrpc 2016-03-10 17:06:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0437.html
Comment 16 Asaf Hirshberg 2016-03-21 08:25:32 UTC 
Ryan Hallisey,
Comment 17 Asaf Hirshberg 2016-03-21 08:27:23 UTC 
removed flags of need info as the information couldn't be supplied.
please contact me if needed.
Comment 18 Lon Hohberger 2017-01-13 16:35:14 UTC 
*** Bug 1235710 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.