Bug 1335619 - [RH Ceph 2.0]: ceph-mon/systemd selinux denials during ceph-ansible runs
Summary: [RH Ceph 2.0]: ceph-mon/systemd selinux denials during ceph-ansible runs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Build
Version: 2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: 2.0
Assignee: Boris Ranto
QA Contact: ceph-qe-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-12 16:47 UTC by Vasu Kulkarni
Modified: 2022-02-21 18:03 UTC (History)
1 user (show)

Fixed In Version: ceph-10.2.1-3.el7cp
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-05 15:48:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1333398 0 high CLOSED [RH Ceph 2] Do a proper SELinux relabel on rhel 7.3+ 2022-02-21 18:03:29 UTC

Internal Links: 1333398

Description Vasu Kulkarni 2016-05-12 16:47:22 UTC 
Description of problem:

Cluster is setup using ceph-ansible and the basic rados/rbd/fio tests are run, I see the following denials quite a few unrelated to ceph but listing them all 

Ansible Version: 1.0.5-10.el7scon
Ceph Version:10.2.0-1.el7cp (3a9fba20ec743699b69bd0181dd6c54dc01c64b9)"


Ceph Related:

'type=AVC msg=audit(1463058382.383:3357): avc:  denied  { write } for  pid=17616 comm="ceph-mon" path="pipe:[79498]" dev="pipefs" ino=79498 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=fifo_file', 

'type=AVC msg=audit(1463058382.388:3368): avc:  denied  { search } for  pid=17616 comm="ceph-mon" name="/" dev="tmpfs" ino=9224 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir', 

type=AVC msg=audit(1463058382.388:3368): avc:  denied  { search } for  pid=17616 comm="ceph-mon" name="var" dev="sda1" ino=6029313 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir', 

'type=AVC msg=audit(1463058382.388:3368): avc:  denied  { write } for  pid=17616 comm="ceph-mon" name="ceph" dev="tmpfs" ino=12801 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir', 

'type=AVC msg=audit(1463058382.386:3366): avc:  denied  { lock } for  pid=17616 comm="ceph-mon" path="/var/lib/ceph/mon/ceph-clara007/store.db/LOCK" dev="sda1" ino=7735779 scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file', 

'type=AVC msg=audit(1463058382.388:3368): avc:  denied  { remove_name } for  pid=17616 comm="ceph-mon" name="ceph-mon.clara007.asok" dev="tmpfs" ino=76531 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir', 

'type=AVC msg=audit(1463058382.386:3367): avc:  denied  { write open } for  pid=17616 comm="ceph-mon" name="MANIFEST-000004" dev="sda1" ino=7735862 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file', '

type=AVC msg=audit(1463058382.388:3368): avc:  denied  { read } for  pid=17616 comm="ceph-mon" name="run" dev="sda1" ino=6029351 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file', 

'type=AVC msg=audit(1463058382.384:3361): avc:  denied  { append } for  pid=17622 comm="log" path="/var/log/ceph/ceph-mon.clara007.log" dev="sda1" ino=6162880 scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file', 

'type=AVC msg=audit(1463058382.388:3368): avc:  denied  { unlink } for  pid=17616 comm="ceph-mon" name="ceph-mon.clara007.asok" dev="tmpfs" ino=76531 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file'

type=USER_AVC msg=audit(1463012272.074:3567): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=\'avc:  denied  { enable } for auid=1000 uid=0 gid=0 cmdline="/usr/bin/systemctl enable ceph-osd@1" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?\'


Unrelated but listing for more eyes:

'type=AVC msg=audit(1463058382.384:3359): avc:  denied  { use } for  pid=17622 comm="log" path="socket:[78718]" dev="sockfs" ino=78718 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd', 
'type=AVC msg=audit(1463058382.384:3358): avc:  denied  { read } for  pid=17654 comm="sginal_handler" path="pipe:[79495]" dev="pipefs" ino=79495 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=fifo_file',
'type=AVC msg=audit(1463058382.384:3359): avc:  denied  { write } for  pid=17622 comm="log" path="socket:[78718]" dev="sockfs" ino=78718 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket', 
'type=AVC msg=audit(1463058382.384:3363): avc:  denied  { open } for  pid=417 comm="systemd-journal" path="/proc/17616/cgroup" dev="proc" ino=80958 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 
'type=AVC msg=audit(1463058382.384:3362): avc:  denied  { read } for  pid=417 comm="systemd-journal" name="cgroup" dev="proc" ino=80958 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 
'type=AVC msg=audit(1463058382.384:3365): avc:  denied  { read } for  pid=417 comm="systemd-journal" name="exe" dev="proc" ino=80960 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file', 
'type=AVC msg=audit(1463058382.384:3364): avc:  denied  { getattr } for  pid=417 comm="systemd-journal" path="/proc/17616/cgroup" dev="proc" ino=80958 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file',
'type=AVC msg=audit(1463058382.384:3360): avc:  denied  { shutdown } for  pid=17654 comm="sginal_handler" laddr=10.8.129.7 lport=6789 faddr=10.8.129.1 fport=33461 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=tcp_socket', 


More logs:
http://magna002.ceph.redhat.com/vasu-2016-05-11_19:45:45-smoke:ceph-ansible-master---basic-clara/230963/teuthology.log
Comment 2 Boris Ranto 2016-05-13 12:21:06 UTC 
The rhceph packages are currently not on par with master. If I didn't miss anything then these should be fixed in current master. We need this jewel back-port

https://github.com/ceph/ceph/pull/8938

which will hopefully make it into 10.2.1 which we will be re-basing to. These are mostly spec file changes so we will have to update our rhceph spec file as well.
Comment 3 Ken Dreyer (Red Hat) 2016-05-13 23:16:32 UTC 
Similar to bz 1333398, that PR did not make it into v10.2.1, so we need to be careful to cherry-pick the needed changes downstream.
Comment 6 Vasu Kulkarni 2016-05-17 18:47:08 UTC 
Verified in 10.2.1-3.el7cp
Comment 7 Ken Dreyer (Red Hat) 2016-10-05 15:48:56 UTC 
Fixed in the RHCS 2 GA.

https://access.redhat.com/errata/RHBA-2016:1755
Note You need to log in before you can comment on or make changes to this bug.