Public bug reported: Glance scrubber on RHEL7 from RDO with SELinux enabled get denied connecting to cinder & swift
type=AVC msg=audit(1527765224.059:149655): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1527765228.066:149656): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1527765228.690:149657): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8080 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket Enabling the nis_enabled seboolean allows connections to cinder, swift looks to need allow glance_scrubber_t http_cache_port_t:tcp_socket name_connect; ** Affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1774402 Title: Glance scrubber SELinux denials Status in Glance: New Bug description: Glance scrubber on RHEL7 from RDO with SELinux enabled get denied connecting to cinder & swift type=AVC msg=audit(1527765224.059:149655): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1527765228.066:149656): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1527765228.690:149657): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8080 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket Enabling the nis_enabled seboolean allows connections to cinder, swift looks to need allow glance_scrubber_t http_cache_port_t:tcp_socket name_connect; To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1774402/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp