1347391 – [RH Ceph 2.0 / 10.2.2-2] selinux avc: denied { chown } for pid=12251 comm="radosgw"

Bug 1347391 - [RH Ceph 2.0 / 10.2.2-2] selinux avc: denied { chown } for pid=12251 comm="radosgw"

Summary: [RH Ceph 2.0 / 10.2.2-2] selinux avc: denied { chown } for pid=12251 c...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Build
Sub Component:
Version:	2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	2.0
Assignee:	Boris Ranto
QA Contact:	ceph-qe-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-16 17:00 UTC by Vasu Kulkarni
Modified:	2022-02-21 18:03 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ceph-10.2.2-5.el7cp
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-23 19:42:04 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1755	0	normal	SHIPPED_LIVE	Red Hat Ceph Storage 2.0 bug fix and enhancement update	2016-08-23 23:23:52 UTC

Description Vasu Kulkarni 2016-06-16 17:00:42 UTC

Description of problem:

Following denial found during smoke run
SELinuxError: SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1466048150.488:2656): avc:  denied  { chown } for  pid=12251 comm="radosgw" capability=0  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability']

I believe this was recently fixed in master

Version-Release number of selected component (if applicable):

10.2.2-2.el7cp (f1f313912893a3ecab6afbdc5690054dde9789fb)

more logs:

http://magna002.ceph.redhat.com/vasu-2016-06-15_19:14:50-smoke-jewel---basic-pluto/238903/teuthology.log

Comment 2 Ken Dreyer (Red Hat) 2016-06-16 19:53:58 UTC

Boris, would you please look into this and prepare a patch for the selinux policy if necessary?

Comment 3 Ken Dreyer (Red Hat) 2016-06-17 12:26:16 UTC

Vasu, what is the minimal reproduction case for this denial? I'd like to try to reproduce it outside of teuthology.

Comment 4 Ken Dreyer (Red Hat) 2016-06-17 17:09:18 UTC

Vasu clarified that this is probably fixed by https://github.com/ceph/ceph/pull/9669 , so we will cherry-pick that downstream.

Comment 6 Boris Ranto 2016-06-20 09:45:38 UTC

Yes, this should be fixed by the PR#9669.

Comment 9 Vasu Kulkarni 2016-06-21 22:01:52 UTC

Verified in 10.2.2

Comment 11 errata-xmlrpc 2016-08-23 19:42:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1755.html

Note You need to log in before you can comment on or make changes to this bug.