Description of problem: I am seeing sone new selinux denial, ms_dispatch seems to be OSD related process so may need a fix? SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1523316904.765:2728): avc: denied { search } for pid=31651 comm="ms_dispatch" name="httpd" dev="sda1" ino=1172 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir'] Version-Release number of selected component (if applicable): 3.0z2
Is the node running ceph-mgr? I suspect this is ceph-mgr trying to access the apache config. Anyway, I have this PR that should cover it: https://github.com/ceph/ceph/pull/20118
Boris, I see this even on node which is just osd+client, Here is one of the logs http://pulpito.ceph.redhat.com/vasu-2018-04-09_15:08:26-smoke-luminous-distro-basic-bruuni/295484/ Thomas, Can you generate a new build with the fix Boris has so that we can verify in smoke today? Thanks
This denial is on the mgr service. I recommend we release note this and then fix it in z3 Relevant log details from Vasu's run 2018-04-09T18:32:50.956 INFO:teuthology.task.internal:roles: ubuntu.redhat.com - ['mon.b', 'mgr.x'] {description: smoke/singleton/ansible_encrypted.yaml, duration: 2328.856581926346, failure_reason: 'SELinux denials found on ubuntu.redhat.com: [''type=AVC msg=audit(1523314111.291:2981): avc: denied { search } for pid=27807 comm="ms_dispatch" name="httpd" dev="sda1" ino=1172 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir'']', owner: scheduled_vasu@magna002, status: fail, success: false}
Good Analysis Greg Meno!, The denial is parsed from all nodes, Workunit was on client. we can take this in z3.
What do we want to do with this bugzilla? The commit that allowed ceph to search /etc/http was removed from the upstream PR. We can take other SELinux updates that were merged recently. We should need at least the patch for ldconfig for 3.1.
Let's at least get luminous upstream up-to-date so v12.2.6 is as good as can be selinux-wise. And then ceph-3.1-rhel-patches as well.
The upstream luminous back-port: https://github.com/ceph/ceph/pull/22012
*** Bug 1594963 has been marked as a duplicate of this bug. ***
Not yet fixed, still seeing the issue http://magna002.ceph.redhat.com/rakesh-2018-08-17_07:29:56-smoke-luminous-distro-basic-pluto/306604/teuthology.log
@Vasu: We kinda re-targetted this bugzilla in comment #11 and #12 to sync the policy with upstream (there were other denials that were fixed). The original upstream commit did include the rule to allow ceph daemons to search the /etc/httpd directory but the commit was rejected upstream since we are not sure why Ceph is accessing /etc/httpd (there does not seem to be anything that should be doing the search :-/ ). Fortunately, we are (or at least were in previous release) release-noting this. Your test run seems to confirm that the only remaining avc denial is the search on /etc/httpd so the upstream sync was successful.
Looks like the time has cone to re-evaluate. Boris has anything changed here ?
Closing, it's not a priority.