Bug 1298332 - [1.3.2 - 0.94.5-1.el7cp] cephtest selinux denial for dev="sda1"
[1.3.2 - 0.94.5-1.el7cp] cephtest selinux denial for dev="sda1"
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RBD (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 1.3.2
Assigned To: Boris Ranto
Depends On:
  Show dependency treegraph
Reported: 2016-01-13 14:39 EST by Vasu Kulkarni
Modified: 2017-07-30 11:30 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-14 05:56:35 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vasu Kulkarni 2016-01-13 14:39:10 EST
Description of problem:

Following denial for cephtest seen during rbd testing

SELinux denials found on ubuntu@clara003.ceph.redhat.com: ['type=AVC msg=audit(1452669001.796:15051): avc: denied { search } for pid=2143 comm=72733A6D61696E20513A526567 name="cephtest" dev="sda1" ino=1310802 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir'] 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

This is seen intermittently during rbd iozone testing with selinux in permissive mode

Actual results:

Expected results:

Additional info:
Comment 3 Boris Ranto 2016-01-14 05:56:35 EST
This is not a ceph bug but a teuthology one-- teuthology creates files in home directory (syslogd file in this case) so they end up being labelled user_home_t. A process (suslogd) with syslogd_t context cannot access (search -- list directory in this case) files with user_home_t context by default.

AFAICR, there should have already been some changes regarding this in teuthology. However, I'm not sure what version of teuthology was used in this case/whether it contains the patches or not.

In the mean-time closing as NOTABUG. See upstream teuthology bug for details:


FWIW: I can give you some tips so that you can maintain a custom teuthology SELinux policy that would help avoid denials like these that are not dedicated to ceph itself but to the test framework.

Note You need to log in before you can comment on or make changes to this bug.