Glance

Glance scrubber SELinux denials

Bug #1774402 reported by Ben O'Hara on 2018-05-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Invalid	Undecided	Unassigned

Bug Description

Glance scrubber on RHEL7 from RDO with SELinux enabled get denied connecting to cinder & swift

type=AVC msg=audit(1527765224.059:149655): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1527765228.066:149656): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1527765228.690:149657): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8080 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext=
system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

Enabling the nis_enabled seboolean allows connections to cinder,

swift looks to need

allow glance_scrubber_t http_cache_port_t:tcp_socket name_connect;

Revision history for this message

Erno Kuvaja (jokke) wrote on 2018-06-08:

This is a bug in RDO packaging rather than bug in Glance. Please file the bug in RDO [0] and you have much more luck to get it fixed.

[0] https://bugzilla.redhat.com/enter_bug.cgi?product=RDO

Changed in glance:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.