Swift service tries to relabel files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Cédric Jeanneret |
Bug Description
Hello,
Swift service wants to relabel files in its container. This is prohibited in a selinux-enabled system with proper separation, and raises the following AVCs:
type=AVC msg=audit(
type=AVC msg=audit(
This might comes from a "cp -a" call, as that one will try (and fail) to reapply the SELinux labels.
Note: we will never allow relabelto from within a container, since it can lead to a major security hole on the host system.
Cheers,
C.
Changed in tripleo: | |
milestone: | stein-3 → stein-rc1 |
Changed in tripleo: | |
assignee: | nobody → Cédric Jeanneret (cjeanner) |
status: | Triaged → In Progress |
Thanks Cedric. So I think this is the snippet that barfs on us:
swift_ copy_rings: ringbuilder_ image
command: ringbuilder/ etc/swift/ *.gz /swift_ ringbuilder/ etc/swift/ *.builder /swift_ ringbuilder/ etc/swift/ backups'
image: *swift_
net: none
user: root
detach: false
# Use bash to run the cp command so that wildcards can be used
- '/bin/bash'
- '-c'
- 'cp -v -a -t /etc/swift /swift_
This is from deployment/ swift/swift- ringbuilder- container- puppet. yaml
Can we work around this by adding a specific --context[=CTX] param to the cp call?