Bug 1336877
| Summary: | [RH Ceph 2.0 / 10.2.1-1.el7cp ] radosgw-lttng selinux denials | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Vasu Kulkarni <vakulkar> |
| Component: | Build | Assignee: | Boris Ranto <branto> |
| Status: | CLOSED ERRATA | QA Contact: | Vasu Kulkarni <vakulkar> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.0 | CC: | hnallurv, kdreyer |
| Target Milestone: | rc | ||
| Target Release: | 2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | RHEL: ceph-10.2.1-4.el7cp Ubuntu: ceph_10.2.1-4redhat1xenial | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-08-23 19:38:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I checked and this is indeed fixed in current master (/usr/bin/radosgw no longer links against lttng, there). FYI: This will probably blow out in Ubuntu with AppArmor as well. @Ken: Will you take care of this or should I? Would you please take care of getting it into Jewel? It looks like there was no Redmine ticket uptream :( Sure, the patch applies cleanly: https://github.com/ceph/ceph/pull/9194 Verified in 10.2.2 smoke Verified in 10.2.2 smoke Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-1755.html |
Description of problem: 1) Setup the cluster using ansible and tests run for rbd/fio and rados 2) Following radosgw lttng selinux denials seen, type=AVC msg=audit(1463467870.275:2656): avc: denied { create } for pid=11030 comm="radosgw" name="lttng-ust-wait-5" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file'' type=AVC msg=audit(1463467870.526:2671): avc: denied { open } for pid=11151 comm="radosgw" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1463467870.275:2656): avc: denied { write } for pid=11030 comm="radosgw" name="/" dev="tmpfs" ino=8222 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1463467870.275:2656): avc: denied { add_name } for pid=11030 comm="radosgw" name="lttng-ust-wait-5" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1463467870.277:2657): avc: denied { chown } for pid=11028 comm="radosgw" capability=0 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability type=AVC msg=audit(1463467870.528:2672): avc: denied { chown } for pid=11142 comm="radosgw" capability=0 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability type=AVC msg=audit(1463467870.275:2656): avc: denied { read write open } for pid=11030 comm="radosgw" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1463467870.526:2671): avc: denied { read } for pid=11151 comm="radosgw" name="lttng-ust-wait-5" dev="tmpfs" ino=60762 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file Version-Release number of selected component (if applicable): 10.2.1-1.el7cp (c91370146bec52062ba0f9c5b8a8a24fcc178cb5) How reproducible: Always Additional info: http://magna002.ceph.redhat.com/vasu-2016-05-16_22:23:35-smoke-v10.2.1---basic-clara/231852/teuthology.log