Bug 1566664
| Summary: | [release note] avc: denied { search } for pid=31651 comm="ms_dispatch" name="httpd" | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Christina Meno <gmeno> |
| Component: | Documentation | Assignee: | ceph-docs <ceph-docs> |
| Status: | CLOSED NOTABUG | QA Contact: | ceph-qe-bugs <ceph-qe-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.0 | CC: | branto, ceph-qe-bugs, gmeno, kchai, kdreyer, tserlin, vakulkar |
| Target Milestone: | z2 | ||
| Target Release: | 3.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Known Issue | |
| Doc Text: |
Cause:
A ceph daemon can try to access httpd config files but it is forbidden to do so by SELinux.
Consequence:
AVC denials appear in /var/log/audit/audit.log in the form "type=AVC msg=audit(1523314111.291:2981): avc: denied { search } for pid=27807 comm="ms_dispatch" name="httpd" dev="sda1" ino=1172 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir"
Workaround (if any):
If you are experiencing any issues because of this AVC denial you can put SELinux into Permissive mode with
# setenforce Permissive
Result:
SElinux will allow ceph to access httpd config files.
|
Story Points: | --- |
| Clone Of: | 1565416 | Environment: | |
| Last Closed: | 2018-05-30 15:32:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1565416 | ||
| Bug Blocks: | |||
|
Comment 3
Christina Meno
2018-04-12 18:06:40 UTC
I have updated the doc text. I don't think we want to do advice customers to put this denial into their own custom policy. It may cause some issues (print some warnings) in the future when we allow this in our ceph policy. Instead, we should just guide the customers to put SELinux into Permissive mode if they are experiencing any issues. No docs changes needed for this |