← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1774402] [NEW] Glance scrubber SELinux denials

 

Public bug reported:

Glance scrubber on RHEL7 from RDO with SELinux enabled get denied
connecting to cinder & swift

type=AVC msg=audit(1527765224.059:149655): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1527765228.066:149656): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1527765228.690:149657): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8080 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

Enabling the nis_enabled seboolean allows connections to cinder,

swift looks to need

allow glance_scrubber_t http_cache_port_t:tcp_socket name_connect;

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1774402

Title:
  Glance scrubber SELinux denials

Status in Glance:
  New

Bug description:
  Glance scrubber on RHEL7 from RDO with SELinux enabled get denied
  connecting to cinder & swift

  type=AVC msg=audit(1527765224.059:149655): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
  system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
  type=AVC msg=audit(1527765228.066:149656): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
  system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
  type=AVC msg=audit(1527765228.690:149657): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8080 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
  system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

  Enabling the nis_enabled seboolean allows connections to cinder,

  swift looks to need

  allow glance_scrubber_t http_cache_port_t:tcp_socket name_connect;

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1774402/+subscriptions


Follow ups