Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 1534660

Summary: [RH Ceph 2.5/Ceph 10.2.10-11.el7cp] avc: denied { getattr } for pid=23789 comm="ceph-osd"
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Vasu Kulkarni <vakulkar>
Component: BuildAssignee: Boris Ranto <branto>
Status: CLOSED ERRATA QA Contact: Vasu Kulkarni <vakulkar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.5CC: agunn, branto, hnallurv, kdreyer, tserlin, vakulkar
Target Milestone: rc   
Target Release: 2.5   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-10.2.10-16.el7cp Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 19:47:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vasu Kulkarni 2018-01-15 17:02:55 UTC 
Description of problem:



SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1515869781.400:27338): avc: denied { getattr } for pid=23789 comm="ceph-osd" path="/sys/dev/block/8:49" dev="sysfs" ino=41435 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1515869783.157:27348): avc: denied { getattr } for pid=24013 comm="ceph-osd" path="/sys/dev/block/8:49" dev="sysfs" ino=41435 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1515869767.052:27294): avc: denied { getattr } for pid=22892 comm="ceph-osd" path="/sys/dev/block/8:33" dev="sysfs" ino=41349 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1515869751.909:27237): avc: denied { getattr } for pid=21710 comm="ceph-osd" path="/sys/dev/block/8:17" dev="sysfs" ino=41263 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1515869766.202:27290): avc: denied { getattr } for pid=22773 comm="ceph-osd" path="/sys/dev/block/8:33" dev="sysfs" ino=41350 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1515869754.766:27249): avc: denied { getattr } for pid=22030 comm="ceph-osd" path="/sys/dev/block/8:17" dev="sysfs" ino=41263 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file'] 


http://pulpito.ceph.redhat.com/vasu-2018-01-11_21:45:28-smoke-jewel-distro-basic-multi/287042/

Version-Release number of selected component (if applicable):

2.5/ 10.2.10-11.el7cp

How reproducible:

Always
Comment 4 Boris Ranto 2018-01-17 11:33:09 UTC 
We need to backport https://github.com/ceph/ceph/pull/17891 to jewel. It looks like the issue does not present on luminous upwards but on jewel as well (or maybe, one of the back-ports introduced it?).
Comment 10 Vasu Kulkarni 2018-02-01 04:28:43 UTC 
I am still seeing this one denial from fn_anonymous, this is only on a node which has nvme.

SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1517453933.388:10741): avc: denied { getattr } for pid=65785 comm="fn_anonymous" path="/dev/nvme0n1" dev="devtmpfs" ino=16424 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file', 'type=AVC msg=audit(1517453770.122:10653): avc: denied { getattr } for pid=63864 comm="fn_anonymous" path="/dev/nvme0n1" dev="devtmpfs" ino=16424 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file', 'type=AVC msg=audit(1517453841.295:10704): avc: denied { getattr } for pid=64816 comm="fn_anonymous" path="/dev/nvme0n1" dev="devtmpfs" ino=16424 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file']
Comment 11 Boris Ranto 2018-02-01 19:48:23 UTC 
FWIW: This is not a regression, this never worked in jewel before. We have already fixed that upstream (master+luminous):

https://github.com/ceph/ceph/pull/15597

There is also a jewel backport but that one was not merged, yet:

https://github.com/ceph/ceph/pull/18780

I can back-port that patch to jewel if you think it is worth making another ceph package for 2.5. (do we actually support nvme with jewel?)
Comment 12 Vasu Kulkarni 2018-02-01 20:03:05 UTC 
I think we should take this, I agree its not a regression but since we have the fix in master+luminous and is a quick verification in smoke, lets take this.
Comment 15 Boris Ranto 2018-02-01 23:23:04 UTC 
OK, I have back-ported the fix to our downstream branch. Moving back to ON_QA.
Comment 16 Vasu Kulkarni 2018-02-03 00:37:14 UTC 
Latest compose is still 10.2.10-15.el7cp, I dont think build is available.
Comment 19 Vasu Kulkarni 2018-02-05 17:35:39 UTC 
Tests started passing, closing this. http://pulpito.ceph.redhat.com/vasu-2018-02-05_11:36:33-smoke-jewel-distro-basic-bruuni/
Comment 22 errata-xmlrpc 2018-02-21 19:47:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0340