yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1774402] [NEW] Glance scrubber SELinux denials

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ben O'Hara <bohara@xxxxxxxxx>
Date: Thu, 31 May 2018 11:30:18 -0000
Reply-to: Bug 1774402 <1774402@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Glance scrubber on RHEL7 from RDO with SELinux enabled get denied
connecting to cinder & swift

type=AVC msg=audit(1527765224.059:149655): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1527765228.066:149656): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1527765228.690:149657): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8080 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

Enabling the nis_enabled seboolean allows connections to cinder,

swift looks to need

allow glance_scrubber_t http_cache_port_t:tcp_socket name_connect;

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1774402

Title:
  Glance scrubber SELinux denials

Status in Glance:
  New

Bug description:
  Glance scrubber on RHEL7 from RDO with SELinux enabled get denied
  connecting to cinder & swift

  type=AVC msg=audit(1527765224.059:149655): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
  system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
  type=AVC msg=audit(1527765228.066:149656): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
  system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
  type=AVC msg=audit(1527765228.690:149657): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8080 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
  system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

  Enabling the nis_enabled seboolean allows connections to cinder,

  swift looks to need

  allow glance_scrubber_t http_cache_port_t:tcp_socket name_connect;

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1774402/+subscriptions

Follow ups

[Bug 1774402] Re: Glance scrubber SELinux denials
From: Erno Kuvaja, 2018-06-08