Description of problem: 1) Setup the cluster using ansible and tests run for rbd/fio and rados 2) Following radosgw lttng selinux denials seen, type=AVC msg=audit(1463467870.275:2656): avc: denied { create } for pid=11030 comm="radosgw" name="lttng-ust-wait-5" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file'' type=AVC msg=audit(1463467870.526:2671): avc: denied { open } for pid=11151 comm="radosgw" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1463467870.275:2656): avc: denied { write } for pid=11030 comm="radosgw" name="/" dev="tmpfs" ino=8222 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1463467870.275:2656): avc: denied { add_name } for pid=11030 comm="radosgw" name="lttng-ust-wait-5" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1463467870.277:2657): avc: denied { chown } for pid=11028 comm="radosgw" capability=0 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability type=AVC msg=audit(1463467870.528:2672): avc: denied { chown } for pid=11142 comm="radosgw" capability=0 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability type=AVC msg=audit(1463467870.275:2656): avc: denied { read write open } for pid=11030 comm="radosgw" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1463467870.526:2671): avc: denied { read } for pid=11151 comm="radosgw" name="lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file Version-Release number of selected component (if applicable): 10.2.1-1.el7cp (c91370146bec52062ba0f9c5b8a8a24fcc178cb5) How reproducible: Always Additional info: http://magna002.ceph.redhat.com/vasu-2016-05-16_22:23:35-smoke-v10.2.1---basic-clara/231852/teuthology.log
I checked and this is indeed fixed in current master (/usr/bin/radosgw no longer links against lttng, there). FYI: This will probably blow out in Ubuntu with AppArmor as well. @Ken: Will you take care of this or should I?
Would you please take care of getting it into Jewel? It looks like there was no Redmine ticket uptream :(
Sure, the patch applies cleanly: https://github.com/ceph/ceph/pull/9194
Verified in 10.2.2 smoke
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-1755.html