Bug 1794027

Summary: TASK [ceph-nfs : start nfs gateway service] failed on FIPS enabled cluster
Product: Red Hat Enterprise Linux 8 Reporter: Sunil Kumar Nagaraju <sunnagar>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Vasishta <vashastr>
Severity: high Docs Contact: Bara Ancincova <bancinco>
Priority: medium    
Version: 8.1CC: aschoen, bancinco, ceph-eng-bugs, edonnell, gmeno, jdurgin, lvrabec, mmalik, nojha, nthomas, plautrba, ssekidde, tchandra, ykaul
Target Milestone: rcKeywords: Triaged
Target Release: 8.3   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.Ansible cannot start NFS Ganesha if SELinux is in enforcing mode When using SELinux in enforcing mode on {rhel} 8.1, the `ceph-ansible` utility fails to start the NFS Ganesha service because SELinux policy currently does not allow creating a directory required for NFS Ganesha.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-07 18:15:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1730176    

Comment 13 Zdenek Pytela 2020-06-05 15:44:58 UTC 
Sunil,

I see the scenario works in permissive mode where the AVC denials are also audited. Did you manage to gather the denials with the ausearch command as suggested in c#11?
Comment 16 Zdenek Pytela 2020-06-19 15:49:34 UTC 
The AVC from the first attachment is allowed in the current policy version, please use selinux-policy-3.14.3-45.el8.noarch to verify. If yes, we can switch the component to ceph.

The second attachment contain 2 denials which need to be addressed in the ceph policy:
- ms_dispatch stating /proc/kcore: is it sufficient to dontaudit this access, i. e. do not allow, but it will not be audited?
- ceph-mgr wants to search the httpd configuration directory; there does not seem to exist though what is it looking for
Comment 18 Josh Durgin 2020-06-26 22:01:14 UTC 
Yes, we can use the latest selinux-policy to verify this. The further 2 selinux denials in ceph are addressed by separate BZs: https://bugzilla.redhat.com/show_bug.cgi?id=1828232 and https://bugzilla.redhat.com/show_bug.cgi?id=1829758
Comment 21 Zdenek Pytela 2021-05-07 18:15:10 UTC 
Verified the permision is present in current release of RHEL:

sesearch -A -s init_t -t var_lib_nfs_t -c dir -p create
allow init_t non_security_file_type:dir { create getattr }; [ init_create_dirs ]:True

Based on the previous information closing this bz.