Description of problem: SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1515869781.400:27338): avc: denied { getattr } for pid=23789 comm="ceph-osd" path="/sys/dev/block/8:49" dev="sysfs" ino=41435 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1515869783.157:27348): avc: denied { getattr } for pid=24013 comm="ceph-osd" path="/sys/dev/block/8:49" dev="sysfs" ino=41435 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1515869767.052:27294): avc: denied { getattr } for pid=22892 comm="ceph-osd" path="/sys/dev/block/8:33" dev="sysfs" ino=41349 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1515869751.909:27237): avc: denied { getattr } for pid=21710 comm="ceph-osd" path="/sys/dev/block/8:17" dev="sysfs" ino=41263 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1515869766.202:27290): avc: denied { getattr } for pid=22773 comm="ceph-osd" path="/sys/dev/block/8:33" dev="sysfs" ino=41350 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1515869754.766:27249): avc: denied { getattr } for pid=22030 comm="ceph-osd" path="/sys/dev/block/8:17" dev="sysfs" ino=41263 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file'] http://pulpito.ceph.redhat.com/vasu-2018-01-11_21:45:28-smoke-jewel-distro-basic-multi/287042/ Version-Release number of selected component (if applicable): 2.5/ 10.2.10-11.el7cp How reproducible: Always
We need to backport https://github.com/ceph/ceph/pull/17891 to jewel. It looks like the issue does not present on luminous upwards but on jewel as well (or maybe, one of the back-ports introduced it?).
I am still seeing this one denial from fn_anonymous, this is only on a node which has nvme. SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1517453933.388:10741): avc: denied { getattr } for pid=65785 comm="fn_anonymous" path="/dev/nvme0n1" dev="devtmpfs" ino=16424 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file', 'type=AVC msg=audit(1517453770.122:10653): avc: denied { getattr } for pid=63864 comm="fn_anonymous" path="/dev/nvme0n1" dev="devtmpfs" ino=16424 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file', 'type=AVC msg=audit(1517453841.295:10704): avc: denied { getattr } for pid=64816 comm="fn_anonymous" path="/dev/nvme0n1" dev="devtmpfs" ino=16424 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file']
FWIW: This is not a regression, this never worked in jewel before. We have already fixed that upstream (master+luminous): https://github.com/ceph/ceph/pull/15597 There is also a jewel backport but that one was not merged, yet: https://github.com/ceph/ceph/pull/18780 I can back-port that patch to jewel if you think it is worth making another ceph package for 2.5. (do we actually support nvme with jewel?)
I think we should take this, I agree its not a regression but since we have the fix in master+luminous and is a quick verification in smoke, lets take this.
OK, I have back-ported the fix to our downstream branch. Moving back to ON_QA.
Latest compose is still 10.2.10-15.el7cp, I dont think build is available.
Tests started passing, closing this. http://pulpito.ceph.redhat.com/vasu-2018-02-05_11:36:33-smoke-jewel-distro-basic-bruuni/
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0340