tripleo

SELinux blocks swift's access to ephemeral ports

Bug #1375526 reported by Richard Su
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Richard Su

Bug Description

These denials are being logged on the overcloud-control node on Fedora 20:

type=AVC msg=audit(1411756364.896:5765): avc: denied { name_connect } for pid=10073 comm="swift-object-se" dest=56420 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1411756391.224:6246): avc: denied { name_connect } for pid=9938 comm="swift-object-re" dest=47392 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

Tags: selinux
Revision history for this message
Richard Su (rwsu) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-image-elements (master)

Fix proposed to branch: master
Review: https://review.openstack.org/124940

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-image-elements (master)

Reviewed: https://review.openstack.org/124940
Committed: https://git.openstack.org/cgit/openstack/tripleo-image-elements/commit/?id=531841d38d69754dafef7a15098e408c83a0d832
Submitter: Jenkins
Branch: master

commit 531841d38d69754dafef7a15098e408c83a0d832
Author: Richard Su <email address hidden>
Date: Mon Sep 29 18:52:06 2014 -0700

    SELinux: Allow swift access to ephemeral ports

    Enable the swift_can_network SELinux boolean to allow
    swift access to ephemeral ports.

    Change-Id: Ib7289929093f03ad39bb0aaa8e75f7e0842a9f5f
    Closes-Bug: 1375526

Changed in tripleo:
status: In Progress → Fix Committed
Jay Dobies (jdob)
Changed in tripleo:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.