Bug 1354488

Summary: Multiple SElinux alerts
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Emilien Macchi <emacchi>
Component: BuildAssignee: Boris Ranto <branto>
Status: CLOSED UPSTREAM QA Contact: ceph-qe-bugs <ceph-qe-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.0CC: kdreyer
Target Milestone: rc   
Target Release: 2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-12 16:04:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Emilien Macchi 2016-07-11 12:22:30 UTC 
Description of problem:
Found 26 alerts in /var/log/audit/audit.log when deploying Ceph and OpenStack.

Version-Release number of selected component (if applicable):
ceph-selinux-10.2.2-0.el7.x86_64

Logs are available here:
http://logs.openstack.org/69/340069/1/check/gate-puppet-openstack-integration-3-scenario001-tempest-centos-7/039ef95/console.html#_2016-07-09_21_22_16_348053

The complete list of AVCs:
http://paste.openstack.org/show/8cj29aJdevufwouLzqop/
Comment 2 Ken Dreyer (Red Hat) 2016-07-11 14:57:34 UTC 
"ceph-selinux-10.2.2-0.el7" looks like an upstream version number, not a Red Hat Ceph Storage version number...
Comment 3 Emilien Macchi 2016-07-11 15:08:51 UTC 
Right, I deployed Jewel, provided in CentOS Storage SIG repository.
Comment 4 Boris Ranto 2016-07-12 11:53:32 UTC 
These are all var_t target contexts, they should probably be labelled with some ceph_<something>_t label. Can you paste the ceph.conf?

Also, I can see some /srv/data/... paths in the logs. These do not seem as the default ceph locations. What are these files?
Comment 5 Emilien Macchi 2016-07-12 11:55:35 UTC 
We're using puppet-ceph to deploy Ceph.
The manifest is here, in this CI tools repository:
https://github.com/openstack/puppet-openstack-integration/blob/master/manifests/ceph.pp#L11-L44

The manifest is something we can easily changed, it's only used in CI.
The actual module is here: https://github.com/openstack/puppet-ceph

Feel free to give any feedback at our way to deploy. Also submit a patch in our CI if needed.
Comment 6 Ken Dreyer (Red Hat) 2016-07-12 16:04:01 UTC 
Since this test is not using the ceph RPMs from the Red Hat Ceph Storage product, I'm going to close this BZ and request that you please file tickets with Ceph upstream for now: http://tracker.ceph.com/projects/devops/issues/new

In the Redmine ticket, it would be good to mention exactly where you got the ceph-10.2.2-0 RPMs (centos.org, not ceph.com)
Comment 7 Emilien Macchi 2016-07-12 16:22:09 UTC 
I created an account on http://tracker.ceph.com/projects/ceph and I can't create any ticket. My account ID is "emacchi". I would be grateful if you could help me to solve this bug.

Thanks
Comment 8 Boris Ranto 2016-07-13 09:49:38 UTC 
@Emilien: Hmm, the line #42: '/srv/data' => {} seems quite suspicious. Any idea what does it define? Anyway, it would probably help if you stored the files elsewhere. Depending on the type of files it covers, this could be somewhere under /var/lib/ceph, /var/log/ceph or even /var/run/ceph (or maybe even somewhere under /tmp?).
Comment 9 Emilien Macchi 2016-07-13 12:12:56 UTC 
ok I tried to push a patch to change the dir to /var/lib/ceph/data. Let's see how it works now.
Comment 10 Ken Dreyer (Red Hat) 2016-07-13 13:30:11 UTC 
You're account should be active in Redmine now, Emilien. If you have questions, please ask zackc in IRC (#sepia channel in OFTC)
Comment 11 Emilien Macchi 2016-07-13 13:44:24 UTC 
indeed, using /var/lib/ceph reduced the SElinux alerts to 1. I'll file a bug in Ceph tracker.
Comment 12 Emilien Macchi 2016-07-13 13:50:07 UTC 
And here's the upstream bug: http://tracker.ceph.com/issues/16674