1327609 – Missing Selinux policy to talk with Memcache

Bug 1327609 - Missing Selinux policy to talk with Memcache

Summary: Missing Selinux policy to talk with Memcache

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	async
Target Release:	8.0 (Liberty)
Assignee:	Ryan Hallisey
QA Contact:	Mike Burns
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1327681
TreeView+	depends on / blocked

Reported:	2016-04-15 13:17 UTC by Federico Iezzi
Modified:	2016-11-14 19:44 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-selinux-0.7.3-1.el7ost
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1327681 (view as bug list)
Environment:
Last Closed:	2016-11-14 19:44:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2708	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 8 Bug Fix and Enhancement Advisory	2016-11-15 00:43:33 UTC

Description Federico Iezzi 2016-04-15 13:17:38 UTC

Description of problem:
Hello there,

On a customer implementation has been used Memcache as Token Backend in Keystone. The current SELinux polices (openstack-selinux-0.6.55-1.el7ost.noarch) prevent the communication.

Below the logs:
type=AVC msg=audit(1460720246.797:113659): avc:  denied  { name_connect } for  pid=14974 comm="keystone-all" dest=11211 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1460720246.797:113659): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7ffca7854cb0 a2=10 a3=1 items=0 ppid=14904 pid=14974 auid=4294967295 uid=163 gid=163 euid=163 suid=163 fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295 comm="keystone-all" exe="/usr/bin/python2.7" subj=system_u:system_r:keystone_t:s0 key=(null)

Version-Release number of selected component (if applicable): RHEL-OSP 7.3


How reproducible:
- needs to have an up and running openstack setup
- (if not present) install:
  - memcached
  - python-memcached
  - python-pymemcache
- update the following parameters in the keystone config
[token]
driver = keystone.token.persistence.backends.memcache_pool.Token
caching = True
[memcache]
servers = 127.0.0.1:11211 #or anyway your local or remote memcache server
[cache]
[cache]
backend = dogpile.cache.memcached
enabled = True
debug_cache_backend = False

Steps to Reproduce:
1.
2.
3.

Actual results: Selinux prevent the communication


Expected results: a correct keystone <-> memcache communication


Additional info:

Comment 4 Mike Burns 2016-10-31 14:39:34 UTC

Package shipped and bug verified in OSP 9

Comment 6 errata-xmlrpc 2016-11-14 19:44:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2708.html

Note You need to log in before you can comment on or make changes to this bug.