Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1658612 - SELinux denies container to container synchronization
Summary: SELinux denies container to container synchronization
Status: CLOSED DUPLICATE of bug 1658606
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 8.0 (Liberty)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Zoli Caplovic
QA Contact: Jon Schlueter
Depends On: 1652297 1658617 1658618 1658619
TreeView+ depends on / blocked
Reported: 2018-12-12 14:15 UTC by Zoli Caplovic
Modified: 2019-02-04 15:41 UTC (History)
6 users (show)

Fixed In Version: openstack-selinux-0.8.16-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1652297
Last Closed: 2019-02-04 15:41:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Zoli Caplovic 2018-12-12 14:15:15 UTC
+++ This bug was initially created as a clone of Bug #1652297 +++

Description of problem:

Running "swift-init container-sync once" throws this error:

Nov 21 14:59:14 ctrl01 container-server[1378]: Failed to update sync_store /srv/node/swiftloopback/containers/174991/f3f/aae3e64f909b58ab302a0fbb385eff3f/aae3e64f909b58ab302a0fbb385eff3f.db: #012Traceback (most recent call last):#012  File "/usr/lib/python2.7/site-packages/swift/container/replicator.py", line 194, in _post_replicate_hook#012    self.sync_store.update_sync_store(broker)#012  File "/usr/lib/python2.7/site-packages/swift/container/sync_store.py", line 159, in update_sync_store#012    self.add_synced_container(broker)#012  File "/usr/lib/python2.7/site-packages/swift/container/sync_store.py", line 81, in add_synced_container#012    raise oserr#012OSError: [Errno 13] Permission denied: '/srv/node/swiftloopback/sync_containers/174991/f3f/aae3e64f909b58ab302a0fbb385eff3f/aae3e64f909b58ab302a0fbb385eff3f.db'

Version-Release number of selected component (if applicable):

How reproducible:
Configure Container to Container and do synchronization

Steps to Reproduce:

Actual results:
SELinux blocks link creation:
type=AVC msg=audit(1542830504.754:4792): avc:  denied  { read } for  pid=1378 comm="swift-container" name="aae3e64f909b58ab302a0fbb385eff3f.db" dev="loop0" ino=20 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:swift_data_t:s0 tclass=lnk_file

Expected results:
Synchronization done correctly.

Additional info:
The missing rule is the following:
[root@ctrl01 ~(keystone_admin)]# tail -100 /var/log/audit/audit.log|audit2allow

#============= swift_t ==============
allow swift_t swift_data_t:lnk_file create;

--- Additional comment from Zoli Caplovic on 2018-11-28 16:59:54 UTC ---

Hello Alberto, 

just for confirmation - the statement: 
"The missing rule is the following: allow swift_t swift_data_t:lnk_file create;" 

can be understood as "we need to add this rule and it will be working" or as "this seems to be the probable cause". 

Thank you for the clarification

Zoli Caplovic

--- Additional comment from Alberto Gonzalez on 2018-11-28 17:02:59 UTC ---


we need to add this rule and it will be working

--- Additional comment from Zoli Caplovic on 2018-11-28 17:06:35 UTC ---

Thanks Alberto for the clarification. Will work on adding the rule.


Comment 9 Steve Linabery 2019-02-04 15:41:08 UTC

*** This bug has been marked as a duplicate of bug 1658606 ***

Note You need to log in before you can comment on or make changes to this bug.