Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1565416 - avc: denied { search } for pid=31651 comm="ms_dispatch" name="httpd"
Summary: avc: denied { search } for pid=31651 comm="ms_dispatch" name="httpd"
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Build
Version: 3.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z1
: 3.2
Assignee: Boris Ranto
QA Contact: Vasu Kulkarni
URL:
Whiteboard:
: 1594963 (view as bug list)
Depends On:
Blocks: 1566664
TreeView+ depends on / blocked
 
Reported: 2018-04-10 01:18 UTC by Vasu Kulkarni
Modified: 2020-04-07 23:36 UTC (History)
10 users (show)

Fixed In Version: RHEL: ceph-12.2.5-13.el7cp Ubuntu: 12.2.5-4redhat1xenial
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1566664 (view as bug list)
Environment:
Last Closed: 2019-02-04 16:22:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 44216 0 None None None 2020-04-07 23:36:13 UTC

Description Vasu Kulkarni 2018-04-10 01:18:19 UTC
Description of problem:

I am seeing sone new selinux denial, ms_dispatch seems to be OSD related process so may need a fix?

SELinux denials found on ubuntu@bruuni010.ceph.redhat.com: ['type=AVC msg=audit(1523316904.765:2728): avc: denied { search } for pid=31651 comm="ms_dispatch" name="httpd" dev="sda1" ino=1172 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir'] 

Version-Release number of selected component (if applicable):
3.0z2

Comment 4 Boris Ranto 2018-04-11 13:34:10 UTC
Is the node running ceph-mgr? I suspect this is ceph-mgr trying to access the apache config. Anyway, I have this PR that should cover it:

https://github.com/ceph/ceph/pull/20118

Comment 6 Vasu Kulkarni 2018-04-11 15:53:47 UTC
Boris,

I see this even on node which is just osd+client, Here is one of the logs http://pulpito.ceph.redhat.com/vasu-2018-04-09_15:08:26-smoke-luminous-distro-basic-bruuni/295484/


Thomas,

Can you generate a new build with the fix Boris has so that we can verify in smoke today?

Thanks

Comment 9 Christina Meno 2018-04-12 17:54:02 UTC
This denial is on the mgr service. I recommend we release note this and then fix it in z3

Relevant log details from Vasu's run


2018-04-09T18:32:50.956 INFO:teuthology.task.internal:roles:  ubuntu@bruuni012.ceph.redhat.com - ['mon.b', 'mgr.x']


{description: smoke/singleton/ansible_encrypted.yaml, duration: 2328.856581926346,
  failure_reason: 'SELinux denials found on ubuntu@bruuni012.ceph.redhat.com: [''type=AVC
    msg=audit(1523314111.291:2981): avc:  denied  { search } for  pid=27807 comm="ms_dispatch"
    name="httpd" dev="sda1" ino=1172 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0
    tclass=dir'']', owner: scheduled_vasu@magna002, status: fail, success: false}

Comment 10 Vasu Kulkarni 2018-04-12 19:11:41 UTC
Good Analysis Greg Meno!, The denial is parsed from all nodes, Workunit was on client. we can take this in z3.

Comment 11 Boris Ranto 2018-05-14 18:19:18 UTC
What do we want to do with this bugzilla? The commit that allowed ceph to search /etc/http was removed from the upstream PR. We can take other SELinux updates that were merged recently. We should need at least the patch for ldconfig for 3.1.

Comment 12 Ken Dreyer (Red Hat) 2018-05-14 20:56:10 UTC
Let's at least get luminous upstream up-to-date so v12.2.6 is as good as can be selinux-wise. And then ceph-3.1-rhel-patches as well.

Comment 13 Boris Ranto 2018-05-15 16:41:45 UTC
The upstream luminous back-port:

https://github.com/ceph/ceph/pull/22012

Comment 17 Ken Dreyer (Red Hat) 2018-06-25 21:57:31 UTC
*** Bug 1594963 has been marked as a duplicate of this bug. ***

Comment 19 Boris Ranto 2018-08-20 19:30:28 UTC
@Vasu: We kinda re-targetted this bugzilla in comment #11 and #12 to sync the policy with upstream (there were other denials that were fixed). The original upstream commit did include the rule to allow ceph daemons to search the /etc/httpd directory but the commit was rejected upstream since we are not sure why Ceph is accessing /etc/httpd (there does not seem to be anything that should be doing the search :-/ ). Fortunately, we are (or at least were in previous release) release-noting this.

Your test run seems to confirm that the only remaining avc denial is the search on /etc/httpd so the upstream sync was successful.

Comment 22 Christina Meno 2019-01-09 22:55:15 UTC
Looks like the time has cone to re-evaluate.

Boris has anything changed here ?

Comment 23 Christina Meno 2019-02-04 16:22:23 UTC
Closing, it's not a priority.


Note You need to log in before you can comment on or make changes to this bug.