Bug 1329038 - SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket port 49185
Summary: SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 9.0 (Mitaka)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: async
: 8.0 (Liberty)
Assignee: Ryan Hallisey
QA Contact: Asaf Hirshberg
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-21 01:38 UTC by Emilien Macchi
Modified: 2016-11-14 19:44 UTC (History)
6 users (show)

Fixed In Version: openstack-selinux-0.7.3-3.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-14 19:44:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2708 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 8 Bug Fix and Enhancement Advisory 2016-11-15 00:43:33 UTC

Description Emilien Macchi 2016-04-21 01:38:22 UTC 
Deploying OpenStack Mitaka
List if packages:
http://logs.openstack.org/73/308573/1/check/gate-puppet-openstack-integration-3-scenario002-tempest-centos-7/6db963b/logs/rpm-qa.txt.gz

openstack-selinux-0.7.2-1.el7.noarch


2016-04-20 21:23:59.663 | SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket port 49185.
2016-04-20 21:23:59.663 | 
2016-04-20 21:23:59.663 | *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
2016-04-20 21:23:59.663 | 
2016-04-20 21:23:59.663 | If you want to allow swift to can network
2016-04-20 21:23:59.663 | Then you must tell SELinux about this by enabling the 'swift_can_network' boolean.
2016-04-20 21:23:59.664 | 
2016-04-20 21:23:59.664 | Do
2016-04-20 21:23:59.664 | setsebool -P swift_can_network 1
2016-04-20 21:23:59.664 | 
2016-04-20 21:23:59.664 | *****  Plugin catchall (11.6 confidence) suggests   **************************
2016-04-20 21:23:59.664 | 
2016-04-20 21:23:59.665 | If you believe that python2.7 should be allowed name_connect access on the port 49185 tcp_socket by default.
2016-04-20 21:23:59.665 | Then you should report this as a bug.
2016-04-20 21:23:59.665 | You can generate a local policy module to allow this access.
2016-04-20 21:23:59.665 | Do
2016-04-20 21:23:59.665 | allow this access for now by executing:
2016-04-20 21:23:59.665 | # grep swift-object-se /var/log/audit/audit.log | audit2allow -M mypol
2016-04-20 21:23:59.666 | # semodule -i mypol.pp
2016-04-20 21:23:59.666 | 
2016-04-20 21:23:59.666 | 
2016-04-20 21:23:59.666 | Additional Information:
2016-04-20 21:23:59.666 | Source Context                system_u:system_r:swift_t:s0
2016-04-20 21:23:59.666 | Target Context                system_u:object_r:virt_migration_port_t:s0
2016-04-20 21:23:59.666 | Target Objects                port 49185 [ tcp_socket ]
2016-04-20 21:23:59.667 | Source                        swift-object-se
2016-04-20 21:23:59.667 | Source Path                   /usr/bin/python2.7
2016-04-20 21:23:59.667 | Port                          49185
2016-04-20 21:23:59.667 | Host                          <Unknown>
2016-04-20 21:23:59.667 | Source RPM Packages           python-2.7.5-34.el7.x86_64
2016-04-20 21:23:59.667 | Target RPM Packages           
2016-04-20 21:23:59.668 | Policy RPM                    selinux-policy-3.13.1-60.el7_2.3.noarch
2016-04-20 21:23:59.668 | Selinux Enabled               True
2016-04-20 21:23:59.668 | Policy Type                   targeted
2016-04-20 21:23:59.668 | Enforcing Mode                Permissive
2016-04-20 21:23:59.668 | Host Name                     centos-7-rax-iad-411266
2016-04-20 21:23:59.668 | Platform                      Linux centos-7-rax-iad-411266
2016-04-20 21:23:59.668 |                               3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31
2016-04-20 21:23:59.669 |                               16:04:38 UTC 2016 x86_64 x86_64
2016-04-20 21:23:59.669 | Alert Count                   1
2016-04-20 21:23:59.669 | First Seen                    2016-04-20 21:06:15 UTC
2016-04-20 21:23:59.669 | Last Seen                     2016-04-20 21:06:15 UTC
2016-04-20 21:23:59.669 | Local ID                      fc41d1f2-0dee-4d75-98c5-6dcfdcd508d0
2016-04-20 21:23:59.669 | 
2016-04-20 21:23:59.669 | Raw Audit Messages
2016-04-20 21:23:59.670 | type=AVC msg=audit(1461186375.8:534): avc:  denied  { name_connect } for  pid=13003 comm="swift-object-se" dest=49185 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:virt_migration_port_t:s0 tclass=tcp_socket
2016-04-20 21:23:59.670 | 
2016-04-20 21:23:59.670 | 
2016-04-20 21:23:59.670 | type=SYSCALL msg=audit(1461186375.8:534): arch=x86_64 syscall=connect success=yes exit=0 a0=f a1=7ffe244101e0 a2=10 a3=1 items=0 ppid=12934 pid=13003 auid=4294967295 uid=160 gid=160 euid=160 suid=160 fsuid=160 egid=160 sgid=160 fsgid=160 tty=(none) ses=4294967295 comm=swift-object-se exe=/usr/bin/python2.7 subj=system_u:system_r:swift_t:s0 key=(null)
2016-04-20 21:23:59.670 | 
2016-04-20 21:23:59.670 | Hash: swift-object-se,swift_t,virt_migration_port_t,tcp_socket,name_connect
Comment 6 nlevinki 2016-11-06 13:41:07 UTC 
https://rhos-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/RHOS/view/RHOS8/job/qe-phase2-8_director-rhel-7.2-virthost-3cont_2comp_3ceph-ipv4-gre-ceph/16/

this automation is running with a more advanced rpm 
openstack-selinux-0.7.11-1.el7ost.noarch
see comment #5
Comment 8 errata-xmlrpc 2016-11-14 19:44:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2708.html
Note You need to log in before you can comment on or make changes to this bug.