Bug 1566664 - [release note] avc: denied { search } for pid=31651 comm="ms_dispatch" name="httpd"
Summary: [release note] avc: denied { search } for pid=31651 comm="ms_dispatch" name="...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Documentation
Version: 3.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: z2
: 3.0
Assignee: ceph-docs@redhat.com
QA Contact: ceph-qe-bugs
URL:
Whiteboard:
Depends On: 1565416
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-12 17:55 UTC by Christina Meno
Modified: 2018-05-30 15:32 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Cause: A ceph daemon can try to access httpd config files but it is forbidden to do so by SELinux. Consequence: AVC denials appear in /var/log/audit/audit.log in the form "type=AVC msg=audit(1523314111.291:2981): avc: denied { search } for pid=27807 comm="ms_dispatch" name="httpd" dev="sda1" ino=1172 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir" Workaround (if any): If you are experiencing any issues because of this AVC denial you can put SELinux into Permissive mode with # setenforce Permissive Result: SElinux will allow ceph to access httpd config files.
Clone Of: 1565416
Environment:
Last Closed: 2018-05-30 15:32:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 22302 0 None None None 2018-05-08 09:02:20 UTC

Comment 3 Christina Meno 2018-04-12 18:06:40 UTC 
Boris,

Would you please verify my known_issue doc_text
Comment 6 Boris Ranto 2018-04-12 18:47:04 UTC 
I have updated the doc text. I don't think we want to do advice customers to put this denial into their own custom policy. It may cause some issues (print some warnings) in the future when we allow this in our ceph policy. Instead, we should just guide the customers to put SELinux into Permissive mode if they are experiencing any issues.
Comment 10 Ken Dreyer (Red Hat) 2018-05-30 15:32:05 UTC 
No docs changes needed for this
Note You need to log in before you can comment on or make changes to this bug.