Created attachment 706193 [details] Patch against master_contrib branch of selinux-policy Description of problem: type=AVC msg=audit(1362499871.862:4753): avc: denied { write } for pid=26757 comm="rsync" name="160573" dev=vdb ino=360455 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1362499871.862:4753): avc: denied { add_name } for pid=26757 comm="rsync" name="cbf" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1362499871.862:4753): avc: denied { create } for pid=26757 comm="rsync" name="cbf" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1362499871.862:4754): avc: denied { setattr } for pid=26757 comm="rsync" name="cbf" dev=vdb ino=360460 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1362499871.866:4755): avc: denied { create } for pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1362499871.866:4755): avc: denied { read write open } for pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1362499871.867:4756): avc: denied { setattr } for pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1362499871.867:4757): avc: denied { getattr } for pid=26758 comm="rsync" path="/srv/node/device2/objects/160573/cbf/9ccf550c695fcec8e85e12c10a45ecbf/.1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1362499871.868:4758): avc: denied { remove_name } for pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1362499871.868:4758): avc: denied { rename } for pid=26758 comm="rsync" name=".1362499777.99721.data.actL9H" dev=vdb ino=360464 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file Version-Release number of selected component (if applicable): openstack-selinux-0.1.2-6 These AVCs are caused by incorrect labelling on /srv/node/* and /srv/loopback-device/*. Here is a workaround for testing environments: # semanage fcontext -a -t rsync_data_t '/srv/node(/.*)?' # semanage fcontext -a -t rsync_data_t '/srv/loopback-device(/.*)?' # restorecon -Rv /srv/* # sesetbool rsync_client on A more appropriate solution involving assigning a specific file context to /srv/node and /srv/loopback-device. branch).
Rather, a more appropriate solution involving assigning a specific file context to /srv/node and /srv/loopback-device is attached. This: - defines swift_rsync_t - allows rsync_t and swift_t to read/write/manage swift_rsync_t - defines /srv/node and /srv/loopback-device as swift_rsync_t context
Created attachment 706232 [details] Patch against master_contrib branch of selinux-policy Changes the new type to match convention with other modules.
Created attachment 706233 [details] Patch against master_contrib branch of selinux-policy Remove extraneous whitespace change.
Created attachment 706261 [details] Patch against master_contrib branch of selinux-policy Include Pete Zaitcev's notes from https://bugzilla.redhat.com/show_bug.cgi?id=885529#c21
Created attachment 706268 [details] Fix typo
Created attachment 706287 [details] Patch against master_contrib branch of selinux-policy Add rather critical missing files_type(swift_data_t) assignment. I did some cursory tests on Derek's machine with the RHOS-port of this patch.
Dan / Miroslav - can I get a review of that patch in comment #12 ? I think it's mostly ready to go.
So openstack-selinux-0.1.2-7.el6ost.noarch.rpm is right version?
I'm not sure what is meant by "incorrect labelling on /srv/node/*", so far I tried this: $ rpm -qa |grep openstack-selinux openstack-selinux-0.1.2-7.el6ost.noarch $ mv /srv/node/device1/{accounts,accountsx} With selinux disabled, the 'accounts' dir gets re-created withing a minute (but the 'accountsx' dir stays there). With selinux enabled, I get avc denials similar to those in the bug description.
/srv/* is mislabeled. The following: restorecon -Rv /srv/* ...should fix it.
We'll call this from the rpm spec file.
Created attachment 711952 [details] Spec file patch to call restorecon on /srv
This should break things: chcon -R unconfined_u:object_r:file_t:s0 /srv/node/* Updating to the -8 rpm should fix things: rpm -Uvh openstack-selinux-0.1.2-8.el6ost.noarch.rpm
Seems to work. $ ls -lZ /srv/node drwxr-xr-x. swift swift unconfined_u:object_r:swift_data_t:s0 device1 drwxr-xr-x. swift swift unconfined_u:object_r:swift_data_t:s0 device2 (In reply to comment #23) > This should break things: > > chcon -R unconfined_u:object_r:file_t:s0 /srv/node/* > > Updating to the -8 rpm should fix things: > > rpm -Uvh openstack-selinux-0.1.2-8.el6ost.noarch.rpm
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0706.html