Bug 1347391

Summary: [RH Ceph 2.0 / 10.2.2-2] selinux avc: denied { chown } for pid=12251 comm="radosgw"
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Vasu Kulkarni <vakulkar>
Component: BuildAssignee: Boris Ranto <branto>
Status: CLOSED ERRATA QA Contact: ceph-qe-bugs <ceph-qe-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.0CC: kdreyer, vakulkar
Target Milestone: rc   
Target Release: 2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-10.2.2-5.el7cp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-23 19:42:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vasu Kulkarni 2016-06-16 17:00:42 UTC 
Description of problem:

Following denial found during smoke run
SELinuxError: SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1466048150.488:2656): avc:  denied  { chown } for  pid=12251 comm="radosgw" capability=0  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability']

I believe this was recently fixed in master

Version-Release number of selected component (if applicable):

10.2.2-2.el7cp (f1f313912893a3ecab6afbdc5690054dde9789fb)

more logs:

http://magna002.ceph.redhat.com/vasu-2016-06-15_19:14:50-smoke-jewel---basic-pluto/238903/teuthology.log
Comment 2 Ken Dreyer (Red Hat) 2016-06-16 19:53:58 UTC 
Boris, would you please look into this and prepare a patch for the selinux policy if necessary?
Comment 3 Ken Dreyer (Red Hat) 2016-06-17 12:26:16 UTC 
Vasu, what is the minimal reproduction case for this denial? I'd like to try to reproduce it outside of teuthology.
Comment 4 Ken Dreyer (Red Hat) 2016-06-17 17:09:18 UTC 
Vasu clarified that this is probably fixed by https://github.com/ceph/ceph/pull/9669 , so we will cherry-pick that downstream.
Comment 6 Boris Ranto 2016-06-20 09:45:38 UTC 
Yes, this should be fixed by the PR#9669.
Comment 9 Vasu Kulkarni 2016-06-21 22:01:52 UTC 
Verified in 10.2.2
Comment 11 errata-xmlrpc 2016-08-23 19:42:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1755.html