yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1774402] Re: Glance scrubber SELinux denials

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Erno Kuvaja <jokke@xxxxxx>
Date: Fri, 08 Jun 2018 16:32:14 -0000
Reply-to: Bug 1774402 <1774402@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is a bug in RDO packaging rather than bug in Glance. Please file
the bug in RDO [0] and you have much more luck to get it fixed.

[0] https://bugzilla.redhat.com/enter_bug.cgi?product=RDO

** Changed in: glance
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1774402

Title:
  Glance scrubber SELinux denials

Status in Glance:
  Invalid

Bug description:
  Glance scrubber on RHEL7 from RDO with SELinux enabled get denied
  connecting to cinder & swift

  type=AVC msg=audit(1527765224.059:149655): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
  system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
  type=AVC msg=audit(1527765228.066:149656): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
  system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
  type=AVC msg=audit(1527765228.690:149657): avc:  denied  { name_connect } for  pid=1283 comm="glance-scrubber" dest=8080 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
  system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

  Enabling the nis_enabled seboolean allows connections to cinder,

  swift looks to need

  allow glance_scrubber_t http_cache_port_t:tcp_socket name_connect;

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1774402/+subscriptions

References

[Bug 1774402] [NEW] Glance scrubber SELinux denials
From: Ben O'Hara, 2018-05-31