Bug 1566664 - [release note] avc: denied { search } for pid=31651 comm="ms_dispatch" name="httpd"
Summary: [release note] avc: denied { search } for pid=31651 comm="ms_dispatch" name="...
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Documentation
Version: 3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: z2
: 3.0
Assignee: ceph-docs@redhat.com
QA Contact: ceph-qe-bugs
Depends On: 1565416
TreeView+ depends on / blocked
Reported: 2018-04-12 17:55 UTC by Christina Meno
Modified: 2018-05-30 15:32 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Cause: A ceph daemon can try to access httpd config files but it is forbidden to do so by SELinux. Consequence: AVC denials appear in /var/log/audit/audit.log in the form "type=AVC msg=audit(1523314111.291:2981): avc: denied { search } for pid=27807 comm="ms_dispatch" name="httpd" dev="sda1" ino=1172 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir" Workaround (if any): If you are experiencing any issues because of this AVC denial you can put SELinux into Permissive mode with # setenforce Permissive Result: SElinux will allow ceph to access httpd config files.
Clone Of: 1565416
Last Closed: 2018-05-30 15:32:05 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 22302 0 None None None 2018-05-08 09:02:20 UTC

Comment 3 Christina Meno 2018-04-12 18:06:40 UTC

Would you please verify my known_issue doc_text

Comment 6 Boris Ranto 2018-04-12 18:47:04 UTC
I have updated the doc text. I don't think we want to do advice customers to put this denial into their own custom policy. It may cause some issues (print some warnings) in the future when we allow this in our ceph policy. Instead, we should just guide the customers to put SELinux into Permissive mode if they are experiencing any issues.

Comment 10 Ken Dreyer (Red Hat) 2018-05-30 15:32:05 UTC
No docs changes needed for this

Note You need to log in before you can comment on or make changes to this bug.