Bug 1652297 - SELinux denies container to container synchronization
Summary: SELinux denies container to container synchronization
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: z5
: 13.0 (Queens)
Assignee: Zoli Caplovic
QA Contact: Jon Schlueter
URL:
Whiteboard:
Depends On:
Blocks: 1658606 1658611 1658612 1658617 1658618 1658619
TreeView+ depends on / blocked
 
Reported: 2018-11-21 20:03 UTC by Alberto Gonzalez
Modified: 2022-07-09 13:03 UTC (History)
5 users (show)

Fixed In Version: openstack-selinux-0.8.16-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1658606 1658611 1658612 1658617 1658618 1658619 (view as bug list)
Environment:
Last Closed: 2019-03-14 13:34:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-17417 0 None None None 2022-07-09 13:03:50 UTC
Red Hat Product Errata RHSA-2019:0564 0 None None None 2019-03-14 13:34:43 UTC

Description Alberto Gonzalez 2018-11-21 20:03:26 UTC
Description of problem:

Running "swift-init container-sync once" throws this error:

Nov 21 14:59:14 ctrl01 container-server[1378]: Failed to update sync_store /srv/node/swiftloopback/containers/174991/f3f/aae3e64f909b58ab302a0fbb385eff3f/aae3e64f909b58ab302a0fbb385eff3f.db: #012Traceback (most recent call last):#012  File "/usr/lib/python2.7/site-packages/swift/container/replicator.py", line 194, in _post_replicate_hook#012    self.sync_store.update_sync_store(broker)#012  File "/usr/lib/python2.7/site-packages/swift/container/sync_store.py", line 159, in update_sync_store#012    self.add_synced_container(broker)#012  File "/usr/lib/python2.7/site-packages/swift/container/sync_store.py", line 81, in add_synced_container#012    raise oserr#012OSError: [Errno 13] Permission denied: '/srv/node/swiftloopback/sync_containers/174991/f3f/aae3e64f909b58ab302a0fbb385eff3f/aae3e64f909b58ab302a0fbb385eff3f.db'


Version-Release number of selected component (if applicable):
openstack-packstack-12.0.0-3.el7ost.noarch
openstack-packstack-puppet-12.0.0-3.el7ost.noarch


How reproducible:
Configure Container to Container and do synchronization

Steps to Reproduce:
1.
2.
3.

Actual results:
SELinux blocks link creation:
type=AVC msg=audit(1542830504.754:4792): avc:  denied  { read } for  pid=1378 comm="swift-container" name="aae3e64f909b58ab302a0fbb385eff3f.db" dev="loop0" ino=20 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=lnk_file


Expected results:
Synchronization done correctly.

Additional info:
The missing rule is the following:
[root@ctrl01 ~(keystone_admin)]# tail -100 /var/log/audit/audit.log|audit2allow


#============= swift_t ==============
allow swift_t swift_data_t:lnk_file create;

Comment 1 Zoli Caplovic 2018-11-28 16:59:54 UTC
Hello Alberto, 

just for confirmation - the statement: 
"The missing rule is the following: allow swift_t swift_data_t:lnk_file create;" 

can be understood as "we need to add this rule and it will be working" or as "this seems to be the probable cause". 

Thank you for the clarification

Zoli Caplovic

Comment 2 Alberto Gonzalez 2018-11-28 17:02:59 UTC
Hello,

we need to add this rule and it will be working

Comment 3 Zoli Caplovic 2018-11-28 17:06:35 UTC
Thanks Alberto for the clarification. Will work on adding the rule.


Zoli

Comment 4 Julie Pichon 2019-01-28 14:03:04 UTC
The AVC in the description is for { read } but the rule suggested is for { create }. Was there a mistake when copying the AVC details or should both rules be added?

Comment 5 Julie Pichon 2019-01-30 09:12:08 UTC
Submitted https://github.com/redhat-openstack/openstack-selinux/pull/24 to be on the safe side and resolve the failing test.

Comment 20 errata-xmlrpc 2019-03-14 13:34:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0564


Note You need to log in before you can comment on or make changes to this bug.