Description of problem: Running "swift-init container-sync once" throws this error: Nov 21 14:59:14 ctrl01 container-server[1378]: Failed to update sync_store /srv/node/swiftloopback/containers/174991/f3f/aae3e64f909b58ab302a0fbb385eff3f/aae3e64f909b58ab302a0fbb385eff3f.db: #012Traceback (most recent call last):#012 File "/usr/lib/python2.7/site-packages/swift/container/replicator.py", line 194, in _post_replicate_hook#012 self.sync_store.update_sync_store(broker)#012 File "/usr/lib/python2.7/site-packages/swift/container/sync_store.py", line 159, in update_sync_store#012 self.add_synced_container(broker)#012 File "/usr/lib/python2.7/site-packages/swift/container/sync_store.py", line 81, in add_synced_container#012 raise oserr#012OSError: [Errno 13] Permission denied: '/srv/node/swiftloopback/sync_containers/174991/f3f/aae3e64f909b58ab302a0fbb385eff3f/aae3e64f909b58ab302a0fbb385eff3f.db' Version-Release number of selected component (if applicable): openstack-packstack-12.0.0-3.el7ost.noarch openstack-packstack-puppet-12.0.0-3.el7ost.noarch How reproducible: Configure Container to Container and do synchronization Steps to Reproduce: 1. 2. 3. Actual results: SELinux blocks link creation: type=AVC msg=audit(1542830504.754:4792): avc: denied { read } for pid=1378 comm="swift-container" name="aae3e64f909b58ab302a0fbb385eff3f.db" dev="loop0" ino=20 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=lnk_file Expected results: Synchronization done correctly. Additional info: The missing rule is the following: [root@ctrl01 ~(keystone_admin)]# tail -100 /var/log/audit/audit.log|audit2allow #============= swift_t ============== allow swift_t swift_data_t:lnk_file create;
Hello Alberto, just for confirmation - the statement: "The missing rule is the following: allow swift_t swift_data_t:lnk_file create;" can be understood as "we need to add this rule and it will be working" or as "this seems to be the probable cause". Thank you for the clarification Zoli Caplovic
Hello, we need to add this rule and it will be working
Thanks Alberto for the clarification. Will work on adding the rule. Zoli
The AVC in the description is for { read } but the rule suggested is for { create }. Was there a mistake when copying the AVC details or should both rules be added?
Submitted https://github.com/redhat-openstack/openstack-selinux/pull/24 to be on the safe side and resolve the failing test.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0564