Bug 1493750
| Summary: | [RHCeph 3.0 / 12.2.0-2.el7cp] avc: denied { getattr } for pid=23270 comm="ceph-osd" path="/sys/dev/block/8:17" dev="sysfs" | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Vasu Kulkarni <vakulkar> |
| Component: | Build | Assignee: | Boris Ranto <branto> |
| Status: | CLOSED ERRATA | QA Contact: | Vasu Kulkarni <vakulkar> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.0 | CC: | gmeno, hnallurv, kdreyer, vakulkar |
| Target Milestone: | rc | ||
| Target Release: | 3.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ceph-12.2.1-9.el7cp | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-05 23:44:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Upstream PR: https://github.com/ceph/ceph/pull/17891 Boris,
Also I see this for mon on different test, can raise a different bz if required.
'type=AVC msg=audit(1505980440.508:11998): avc: denied { getattr } for pid=55974 comm="ceph-mon" path="/sys/dev/block/8:1" dev="sysfs" ino=64370
scontext=system_u:system_r:ceph_t:s0
I see its for ceph_t in the PR so it should work. It looks like the same defect although I can't say for sure because you omitted tcontext and tclass in that avc denial. Vasu would you please provide the detail Boris mentioned in c5? cheers Sorry missed it, the one for ceph-mon is here https://paste.fedoraproject.org/paste/kRe0yOM~kt7VnjvnYIV4PA/raw Yeah, it is the same issue, a daemon with ceph_t context is trying to do getattr on sysfs lnk file. I am just wondering why this was not picked up by the upstream teuthology runs. :-/ The SELinux patch was merged upstream and is staged for inclusion in next luminous release. I can cherry-pick it downstream but afaik, we need a blocker flag for that at this point. Verified in recent smoke suite 12.2.1-23.el7cp Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:3387 |
Description of problem: I am seeing few AVC denied during smoke suite 2017-09-15T16:43:39.267 INFO:teuthology.orchestra.run.clara013.stdout:type=AVC msg=audit(1505507288.352:4787): avc: denied { getattr } for pid=23270 comm="ceph-osd" path="/sys/dev/block/8:17" dev="sysfs" ino=35631 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file 2017-09-15T16:43:39.267 INFO:teuthology.orchestra.run.clara013.stdout:type=AVC msg=audit(1505507289.217:4819): avc: denied { getattr } for pid=23542 comm="ceph-osd" path="/sys/dev/block/8:17" dev="sysfs" ino=35632 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file 2017-09-15T16:43:39.267 INFO:teuthology.orchestra.run.clara013.stdout:type=AVC msg=audit(1505507289.847:4827): avc: denied { getattr } for pid=23708 comm="ceph-osd" path="/sys/dev/block/8:17" dev="sysfs" ino=35632 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file 2017-09-15T16:43:39.268 INFO:teuthology.orchestra.run.clara013.stdout:type=AVC msg=audit(1505507296.898:4866): avc: denied { getattr } for pid=24586 comm="ceph-osd" path="/sys/dev/block/8:33" dev="sysfs" ino=41347 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file 2017-09-15T16:43:39.268 INFO:teuthology.orchestra.run.clara013.stdout:type=AVC msg=audit(1505507297.873:4895): avc: denied { getattr } for pid=24853 comm="ceph-osd" path="/sys/dev/block/8:33" dev="sysfs" ino=41342 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file 2017-09-15T16:43:39.268 INFO:teuthology.orchestra.run.clara013.stdout:type=AVC msg=audit(1505507298.504:4903): avc: denied { getattr } for pid=25000 comm="ceph-osd" path="/sys/dev/block/8:33" dev="sysfs" ino=41342 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file 2017-09-15T16:43:39.269 INFO:teuthology.orchestra.run.clara013.stdout:type=AVC msg=audit(1505507305.345:4932): avc: denied { getattr } for pid=25721 comm="ceph-osd" path="/sys/dev/block/8:49" dev="sysfs" ino=41428 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file 2017-09-15T16:43:39.269 INFO:teuthology.orchestra.run.clara013.stdout:type=AVC msg=audit(1505507306.201:4963): avc: denied { getattr } for pid=25986 comm="ceph-osd" path="/sys/dev/block/8:49" dev="sysfs" ino=41429 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file 2017-09-15T16:43:39.269 INFO:teuthology.orchestra.run.clara013.stdout:type=AVC msg=audit(1505507306.846:4971): avc: denied { getattr } for pid=26137 comm="ceph-osd" path="/sys/dev/block/8:49" dev="sysfs" ino=41429 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file 2017-09-15T16:43:39.269 INFO:teuthology.orchestra.run.clara013.stdout:type=AVC msg=audit(1505507788.228:5329): avc: denied { getattr } for pid=23708 comm="tp_fstore_op" path="/sys/dev/block/8:17" dev="sysfs" ino=35632 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file http://magna002.ceph.redhat.com/vasu-2017-09-15_13:47:25-smoke-luminous---basic-multi/273938/teuthology.log