1336877 – [RH Ceph 2.0 / 10.2.1-1.el7cp ] radosgw-lttng selinux denials

Bug 1336877 - [RH Ceph 2.0 / 10.2.1-1.el7cp ] radosgw-lttng selinux denials

Summary: [RH Ceph 2.0 / 10.2.1-1.el7cp ] radosgw-lttng selinux denials

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Build
Sub Component:
Version:	2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	2.0
Assignee:	Boris Ranto
QA Contact:	Vasu Kulkarni
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-17 16:44 UTC by Vasu Kulkarni
Modified:	2022-02-21 18:03 UTC (History)
CC List:	2 users (show)
Fixed In Version:	RHEL: ceph-10.2.1-4.el7cp Ubuntu: ceph_10.2.1-4redhat1xenial
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-23 19:38:51 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1755	0	normal	SHIPPED_LIVE	Red Hat Ceph Storage 2.0 bug fix and enhancement update	2016-08-23 23:23:52 UTC

Description Vasu Kulkarni 2016-05-17 16:44:26 UTC

Description of problem:

1) Setup the cluster using ansible and tests run for rbd/fio and rados
2) Following radosgw lttng selinux denials seen,  

type=AVC msg=audit(1463467870.275:2656): avc:  denied  { create } for  pid=11030 comm="radosgw" name="lttng-ust-wait-5" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0  tclass=file'' 

type=AVC msg=audit(1463467870.526:2671): avc:  denied  { open } for  pid=11151 comm="radosgw" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
    
type=AVC msg=audit(1463467870.275:2656): avc:  denied  { write } for  pid=11030 comm="radosgw" name="/" dev="tmpfs" ino=8222 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir 

type=AVC msg=audit(1463467870.275:2656): avc:  denied  { add_name } for  pid=11030 comm="radosgw" name="lttng-ust-wait-5" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

type=AVC msg=audit(1463467870.277:2657): avc:  denied  { chown } for  pid=11028 comm="radosgw" capability=0  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability

type=AVC msg=audit(1463467870.528:2672): avc:  denied  { chown } for  pid=11142 comm="radosgw" capability=0  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability 

type=AVC msg=audit(1463467870.275:2656): avc:  denied  { read write open } for  pid=11030 comm="radosgw" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file 

type=AVC msg=audit(1463467870.526:2671): avc:  denied  { read } for  pid=11151 comm="radosgw" name="lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

Version-Release number of selected component (if applicable):
10.2.1-1.el7cp (c91370146bec52062ba0f9c5b8a8a24fcc178cb5)

How reproducible:
Always


Additional info:

http://magna002.ceph.redhat.com/vasu-2016-05-16_22:23:35-smoke-v10.2.1---basic-clara/231852/teuthology.log

Comment 3 Boris Ranto 2016-05-18 14:03:59 UTC

I checked and this is indeed fixed in current master (/usr/bin/radosgw no longer links against lttng, there).

FYI: This will probably blow out in Ubuntu with AppArmor as well.

@Ken: Will you take care of this or should I?

Comment 4 Ken Dreyer (Red Hat) 2016-05-18 14:34:25 UTC

Would you please take care of getting it into Jewel? It looks like there was no Redmine ticket uptream :(

Comment 5 Boris Ranto 2016-05-19 07:40:40 UTC

Sure, the patch applies cleanly:

https://github.com/ceph/ceph/pull/9194

Comment 10 Vasu Kulkarni 2016-06-21 22:04:51 UTC

Verified in 10.2.2 smoke

Comment 11 Vasu Kulkarni 2016-06-21 22:09:57 UTC

Verified in 10.2.2 smoke

Comment 13 errata-xmlrpc 2016-08-23 19:38:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1755.html

Note You need to log in before you can comment on or make changes to this bug.