OpenStack Object Storage (swift)

Verify operation in swift contains incomplete information about selinux

Bug #1835203 reported by Fritz Elfert
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
New
Undecided
Unassigned

Bug Description

- [x] This is a doc addition request.

The information about selinux is incomplete. In the current setup, swift is
denied execution of rsync. The following custom selinux policy-module fixes this:

module local 1.0;

require {
        type rsync_exec_t;
        type swift_t;
        class file { execute open read };
}

#============= swift_t ==============
allow swift_t rsync_exec_t:file { execute open read };

-----------------------------------
Release: 2.19.2.dev1 on 2019-03-22 22:21
SHA: 2e7e0bd4be5687100543818854df928ca08bd638
Source: https://git.openstack.org/cgit/openstack/swift/tree/doc/source/install/verify.rst
URL: https://docs.openstack.org/swift/rocky/install/verify.html

Revision history for this message
CY Chiang (duncan.c) wrote :

Hi Fritz:
maybe I could add your example in https://docs.openstack.org/swift/rocky/install/storage-install-rdo.html#install-and-configure-components in last step?

Revision history for this message
Fritz Elfert (felfert) wrote :

Actually, in the meantime, I stumbled over more issues with swift and selinux. Maybe casual users should simply disable selinux. My current selinux custom policy looks like this:

-------------------------------------------------------------------------------------------------
module local 1.0;

require {
        type var_lock_t;
        type rsync_port_t;
        type rsync_exec_t;
        type rsync_t;
        type swift_t;
        class tcp_socket name_connect;
        class file { create execute execute_no_trans open read };
}

#============= rsync_t ==============

#!!!! This avc is allowed in the current policy
allow rsync_t var_lock_t:file create;

#============= swift_t ==============
allow swift_t rsync_exec_t:file { execute execute_no_trans open read };

#!!!! This avc is allowed in the current policy
allow swift_t rsync_port_t:tcp_socket name_connect;
-------------------------------------------------------------------------------------------------

Revision history for this message
CY Chiang (duncan.c) wrote :

Thanks, maybe I will find a rdo env to test the selinux policy.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.