Bug 1336877 - [RH Ceph 2.0 / 10.2.1-1.el7cp ] radosgw-lttng selinux denials
Summary: [RH Ceph 2.0 / 10.2.1-1.el7cp ] radosgw-lttng selinux denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Build
Version: 2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 2.0
Assignee: Boris Ranto
QA Contact: Vasu Kulkarni
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-17 16:44 UTC by Vasu Kulkarni
Modified: 2016-08-23 19:38 UTC (History)
2 users (show)

Fixed In Version: RHEL: ceph-10.2.1-4.el7cp Ubuntu: ceph_10.2.1-4redhat1xenial
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-23 19:38:51 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1755 0 normal SHIPPED_LIVE Red Hat Ceph Storage 2.0 bug fix and enhancement update 2016-08-23 23:23:52 UTC

Description Vasu Kulkarni 2016-05-17 16:44:26 UTC
Description of problem:

1) Setup the cluster using ansible and tests run for rbd/fio and rados
2) Following radosgw lttng selinux denials seen,  

type=AVC msg=audit(1463467870.275:2656): avc:  denied  { create } for  pid=11030 comm="radosgw" name="lttng-ust-wait-5" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0  tclass=file'' 

type=AVC msg=audit(1463467870.526:2671): avc:  denied  { open } for  pid=11151 comm="radosgw" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
    
type=AVC msg=audit(1463467870.275:2656): avc:  denied  { write } for  pid=11030 comm="radosgw" name="/" dev="tmpfs" ino=8222 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir 

type=AVC msg=audit(1463467870.275:2656): avc:  denied  { add_name } for  pid=11030 comm="radosgw" name="lttng-ust-wait-5" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

type=AVC msg=audit(1463467870.277:2657): avc:  denied  { chown } for  pid=11028 comm="radosgw" capability=0  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability

type=AVC msg=audit(1463467870.528:2672): avc:  denied  { chown } for  pid=11142 comm="radosgw" capability=0  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability 

type=AVC msg=audit(1463467870.275:2656): avc:  denied  { read write open } for  pid=11030 comm="radosgw" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file 

type=AVC msg=audit(1463467870.526:2671): avc:  denied  { read } for  pid=11151 comm="radosgw" name="lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

Version-Release number of selected component (if applicable):
10.2.1-1.el7cp (c91370146bec52062ba0f9c5b8a8a24fcc178cb5)

How reproducible:
Always


Additional info:

http://magna002.ceph.redhat.com/vasu-2016-05-16_22:23:35-smoke-v10.2.1---basic-clara/231852/teuthology.log

Comment 3 Boris Ranto 2016-05-18 14:03:59 UTC
I checked and this is indeed fixed in current master (/usr/bin/radosgw no longer links against lttng, there).

FYI: This will probably blow out in Ubuntu with AppArmor as well.

@Ken: Will you take care of this or should I?

Comment 4 Ken Dreyer (Red Hat) 2016-05-18 14:34:25 UTC
Would you please take care of getting it into Jewel? It looks like there was no Redmine ticket uptream :(

Comment 5 Boris Ranto 2016-05-19 07:40:40 UTC
Sure, the patch applies cleanly:

https://github.com/ceph/ceph/pull/9194

Comment 10 Vasu Kulkarni 2016-06-21 22:04:51 UTC
Verified in 10.2.2 smoke

Comment 11 Vasu Kulkarni 2016-06-21 22:09:57 UTC
Verified in 10.2.2 smoke

Comment 13 errata-xmlrpc 2016-08-23 19:38:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1755.html


Note You need to log in before you can comment on or make changes to this bug.