Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1518160

Summary:	recon cache permission issue
Product:	Red Hat OpenStack	Reporter:	Attila Fazekas <afazekas>
Component:	openstack-selinux	Assignee:	Lon Hohberger <lhh>
Status:	CLOSED ERRATA	QA Contact:	Udi Shkalim <ushkalim>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	12.0 (Pike)	CC:	ilmostro7, jamsmith, lhh, mburns, mgrepl, rhallise, srevivo, tlarsson, tvignaud
Target Milestone:	z3	Keywords:	Triaged, ZStream
Target Release:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	openstack-selinux-0.8.14-1.el7ost	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-08-20 12:53:41 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Attila Fazekas 2017-11-28 11:00:01 UTC

Description of problem:

In a regular packstack setup the /var/log/messages is flooded with the following errors:

Nov 28 05:09:07 7abff3cf15a7585a1d560b551b408ec9-aio-0 object-server: Exception dumping recon cache: #012Traceback (most recent call last):#012  File "/usr/lib/python2.7/site-packages/swift/common/utils.py", line 3135, in dump_recon_cache#012    with lock_file(cache_file, lock_timeout, unlink=False) as cf:#012  File "/usr/lib64/python2.7/contextlib.py", line 17, in __enter__#012    return self.gen.next()#012  File "/usr/lib/python2.7/site-packages/swift/common/utils.py", line 2321, in lock_file#012    fd = os.open(filename, flags)#012OSError: [Errno 13] Permission denied: '/var/cache/swift/object.recon'
Nov 28 05:09:08 7abff3cf15a7585a1d560b551b408ec9-aio-0 object-server: Exception dumping recon cache: #012Traceback (most recent call last):#012  File "/usr/lib/python2.7/site-packages/swift/common/utils.py", line 3135, in dump_recon_cache#012    with lock_file(cache_file, lock_timeout, unlink=False) as cf:#012  File "/usr/lib64/python2.7/contextlib.py", line 17, in __enter__#012    return self.gen.next()#012  File "/usr/lib/python2.7/site-packages/swift/common/utils.py", line 2321, in lock_file#012    fd = os.open(filename, flags)#012OSError: [Errno 13] Permission denied: '/var/cache/swift/object.recon'
Nov 28 05:09:08 7abff3cf15a7585a1d560b551b408ec9-aio-0 object-server: Exception dumping recon cache: #012Traceback (most recent call last):#012  File "/usr/lib/python2.7/site-packages/swift/common/utils.py", line 3135, in dump_recon_cache#012    with lock_file(cache_file, lock_timeout, unlink=False) as cf:#012  File "/usr/lib64/python2.7/contextlib.py", line 17, in __enter__#012    return self.gen.next()#012  File "/usr/lib/python2.7/site-packages/swift/common/utils.py", line 2321, in lock_file#012    fd = os.open(filename, flags)#012OSError: [Errno 13] Permission denied: '/var/cache/swift/object.recon'


/var/log/audit.log:
type=AVC msg=audit(1511865036.314:25534): avc:  denied  { read write } for  pid=31079 comm="swift-object-re" name="object.recon" dev="vda1" ino=5392083 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

Version-Release number of selected component (if applicable):
openstack-selinux.noarch            0.8.11-1.el7ost
openstack-swift-object.noarch       2.15.1-3.el7ost        
puppet-swift.noarch                 11.3.0-1.el7ost
openstack-packstack.noarch          1:11.0.0-2.el7ost 

The above messages found in the log after tempest run.

Comment 3 Lon Hohberger 2017-11-29 15:26:46 UTC

The file context is wrong.

# restorecon -Rv /var/cache/swift

Comment 4 Lon Hohberger 2017-11-29 15:29:26 UTC

On RHEL 7.4, /var/cache/swift and subdirectories should have the following label:

   system_u:object_r:swift_var_cache_t:s0

'semanage fcontext -l | grep swift_var_cache_t' shows:


/var/cache/swift(/.*)?                             regular file       system_u:object_r:swift_var_cache_t:s0

Comment 5 Lon Hohberger 2017-11-29 15:31:25 UTC

So, this can be fixed in packstack somewhere, or in a puppet module (restorecon after creation).

Comment 6 Lon Hohberger 2017-12-04 23:22:08 UTC

https://github.com/redhat-openstack/openstack-selinux/commit/28132e322371bceac95b00cdfdd8affbd22b3eed

Comment 9 ilmostro7 2018-02-18 06:45:29 UTC

I don't think that the "swift_var_cache_t" filecontext label resolves the issue.  I had relabelled the file during installation through "packstack --allinone" after seeing the AVC alerts.  However, the alerts kept showing up, albeit slightly different.  Initially the failures were for python to get "open" access on the file.  Thereafter, the errors were for "lock", "unlink" and "getattr".

Comment 10 ilmostro7 2018-02-18 06:51:57 UTC

There might have been other issues there, as indicated in the upstream bug report on launchpad.  Ultimately, however, the issue seems to have been resolved upstream.  Although, the problem persists with current implementations of the "openstack-packstack" tool and/or the "openstack-selinux" policy package.

[QUOTE]
"OpenStack Infra (hudson-openstack) wrote on 2018-01-30: Fix included in openstack/instack-undercloud 8.2.0 	#16

This issue was fixed in the openstack/instack-undercloud 8.2.0 release."
[/QUOTE]

Comment 18 errata-xmlrpc 2018-08-20 12:53:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2521