Bug 1276568 - Selinux/Appamor should be disabled for generation librbd traces
Selinux/Appamor should be disabled for generation librbd traces
Status: CLOSED CURRENTRELEASE
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Documentation (Show other bugs)
1.3.1
x86_64 Unspecified
unspecified Severity high
: rc
: 1.3.1
Assigned To: ceph-docs@redhat.com
ceph-qe-bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-30 03:34 EDT by Tanay Ganguly
Modified: 2016-09-19 21:50 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-18 04:59:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tanay Ganguly 2015-10-30 03:34:17 EDT
Description of problem:
Selinux/Appamor should be disabled for generation librbd traces for RHEL/Ubuntu respectively.

Version-Release number of selected component (if applicable):
1.3.1

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
For generating librbd traces using rbd-replay, we must disable selinux/appamor in the system

Expected results:


Additional info:
We should specify to disable selinux/appamor as a prerequisite.

Document Link:
https://access.redhat.com/articles/1605163#
Comment 5 Ken Dreyer (Red Hat) 2015-10-30 11:11:28 EDT
Jason, SELinux needs to be disabled on any node that uses librbd, right? In other words, it should be disabled on all qemu hypervisors that use librbd?

(Sorry I don't have rights to view https://access.redhat.com/articles/1605163 so I can't confirm whether this covers all qemu usage or not)
Comment 6 Jason Dillaman 2015-10-30 11:16:37 EDT
I would hesitate to say SElinux / AppArmor need to be disabled for this to work.  The more nuanced answer is that SElinux / AppArmor profiles should be disabled / set to permissive for the QEMU process.  Another approach is to build a custom profile that permits the access (e.g. using audit2allow for SElinux).
Comment 8 Jason Dillaman 2015-11-02 08:53:45 EST
Sounds better to me.
Comment 9 Tanay Ganguly 2015-11-04 01:01:18 EST
Sounds good to me as well.

Marking it Verified.
Comment 10 Anjana Suparna Sriram 2015-12-18 04:59:32 EST
Fixed for 1.3.1 Release.

Note You need to log in before you can comment on or make changes to this bug.