Bug 1594962 - couple selinux denials for comm="ganesha.nfsd scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0
Summary: couple selinux denials for comm="ganesha.nfsd scontext=system_u:system_r:gane...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Build
Version: 3.0
Hardware: All
OS: Linux
high
high
Target Milestone: z5
: 3.3
Assignee: tserlin
QA Contact: Vasu Kulkarni
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-25 20:39 UTC by Vasu Kulkarni
Modified: 2020-06-10 15:44 UTC (History)
17 users (show)

Fixed In Version: RHEL: nfs-ganesha-2.7.4-11.el7cp Ubuntu: nfs-ganesha_2.7.4-11redhat1xenial
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-10 15:44:17 UTC
Embargoed:
vakulkar: automate_bug+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1511489 0 high CLOSED selinux: ganesha.nfsd run in unconfined domain 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1653857 0 high CLOSED selinux: more nfs-ganesha AVCs w/ selinux-policy-3.13.1-192.el7_5.6 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2020:2488 0 None None None 2020-06-10 15:44:38 UTC

Internal Links: 1511489 1653857

Description Vasu Kulkarni 2018-06-25 20:39:11 UTC 
Description of problem:

a) setup nfs ganesha using ceph-ansible and run couple nfs tests
b) we see below denials

2018-06-23T00:28:15.595 DEBUG:teuthology.run_tasks:Exception was not quenched, exiting: SELinuxError: SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1529727695.925:3037): avc:  denied  { search } for  pid=26596 comm="ganesha.nfsd" name="ceph-rgw.pluto008" dev="sda1" ino=524294 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir', 'type=AVC msg=audit(1529727695.901:3035): avc:  denied  { open } for  pid=26596 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-pluto008.log" dev="sda1" ino=395647 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.925:3037): avc:  denied  { read } for  pid=26596 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.067:3349): avc:  denied  { read } for  pid=28459 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.925:3038): avc:  denied  { getattr } for  pid=26596 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.516:3292): avc:  denied  { open } for  pid=27680 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-pluto008.log" dev="sda1" ino=395647 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.492:3291): avc:  denied  { getattr } for  pid=27679 comm="ganesha.nfsd" path="/proc/27679/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.540:3295): avc:  denied  { getattr } for  pid=27680 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.925:3037): avc:  denied  { open } for  pid=26596 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.492:3290): avc:  denied  { open } for  pid=27679 comm="ganesha.nfsd" path="/proc/27679/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.068:3350): avc:  denied  { getattr } for  pid=28459 comm="ganesha.nfsd" path="/proc/28459/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.090:3351): avc:  denied  { open } for  pid=28460 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-pluto008.log" dev="sda1" ino=395647 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.115:3353): avc:  denied  { open } for  pid=28460 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.878:3033): avc:  denied  { read } for  pid=26595 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.540:3294): avc:  denied  { read } for  pid=27680 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.115:3353): avc:  denied  { read } for  pid=28460 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.878:3033): avc:  denied  { open } for  pid=26595 comm="ganesha.nfsd" path="/proc/26595/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727724.491:3115): avc:  denied  { block_suspend } for  pid=27040 comm="msgr-worker-1" capability=36  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability2', 'type=AVC msg=audit(1529727737.492:3290): avc:  denied  { read } for  pid=27679 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.115:3354): avc:  denied  { getattr } for  pid=28460 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.540:3294): avc:  denied  { search } for  pid=27680 comm="ganesha.nfsd" name="ceph-rgw.pluto008" dev="sda1" ino=524294 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir', 'type=AVC msg=audit(1529727737.540:3294): avc:  denied  { open } for  pid=27680 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.878:3034): avc:  denied  { getattr } for  pid=26595 comm="ganesha.nfsd" path="/proc/26595/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.112:3352): avc:  denied  { connectto } for  pid=28460 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.pluto008.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket', 'type=AVC msg=audit(1529727737.537:3293): avc:  denied  { connectto } for  pid=27680 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.pluto008.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket', 'type=AVC msg=audit(1529727828.115:3355): avc:  denied  { name_connect } for  pid=28460 comm="msgr-worker-1" dest=6789 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:cyphesis_port_t:s0 tclass=tcp_socket', 'type=AVC msg=audit(1529727695.922:3036): avc:  denied  { connectto } for  pid=26596 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.pluto008.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket', 'type=AVC msg=audit(1529727828.067:3349): avc:  denied  { open } for  pid=28459 comm="ganesha.nfsd" path="/proc/28459/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.541:3296): avc:  denied  { name_connect } for  pid=27680 comm="msgr-worker-1" dest=6789 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:cyphesis_port_t:s0 tclass=tcp_socket', 'type=AVC msg=audit(1529727695.926:3039): avc:  denied  { name_connect } for  pid=26596 comm="msgr-worker-1" dest=6789 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:cyphesis_port_t:s0 tclass=tcp_socket']
Comment 3 Ken Dreyer (Red Hat) 2018-06-25 22:35:01 UTC 
Please confirm this is still an issue in RHCS 3.1
Comment 4 Vasu Kulkarni 2018-07-31 22:48:55 UTC 
we are running some tests this week and should be able to confirm in next 2 days.
Comment 5 Vasu Kulkarni 2018-08-01 19:02:39 UTC 
This has failed qa, one of the test

http://pulpito.ceph.redhat.com/rakesh-2018-08-01_00:53:21-rgw:nfs-ganesha-rgw-v2-luminous-distro-basic-multi/305519/
Comment 8 Kaleb KEITHLEY 2018-10-19 12:14:50 UTC 
Is this still happening on 3.2 ?  What version of RHEL are 3.0 and 3.2 based on?
Comment 10 Vasu Kulkarni 2018-11-20 16:40:57 UTC 
Folks, This is still an issue with recent builds and its not yet fixed.
Comment 13 Kaleb KEITHLEY 2018-11-27 16:38:38 UTC 
The usual drill is set selinux to permissive. Rerun the test(s). Collect /var/log/audit/audit.log and the output of `audit2allow -a` and send them to the selinux team (in a BZ).

even though ganesha ran without an AVCs in RHGS-3.4 testing there are still customers seeing AVCs that didn't appear during the QE cycle.
Comment 14 rakesh-gm 2018-11-28 13:26:10 UTC 
Created attachment 1509512 [details]
audit.log
Comment 20 Kaleb KEITHLEY 2018-12-04 16:27:23 UTC 
No, no issues with that. AFAIK that's the way to do it.
Comment 35 shilpa 2018-12-17 07:45:57 UTC 
Tested in 12.2.8-52.el7cp with selinux in permissive mode. Seeing the below denials.

SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1544850152.244:1913): avc: denied { search } for pid=25712 comm="ganesha.nfsd" name="ceph-rgw.clara007" dev="sda1" ino=395372 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1544849948.447:1843): avc: denied { getattr } for pid=24880 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544850152.244:1913): avc: denied { open } for pid=25712 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.366:1838): avc: denied { open } for pid=24879 comm="ganesha.nfsd" path="/proc/24879/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.402:1840): avc: denied { open } for pid=24880 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-clara007.log" dev="sda1" ino=395379 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.447:1842): avc: denied { open } for pid=24880 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.299:1592): avc: denied { getattr } for pid=23916 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544850152.244:1913): avc: denied { read } for pid=25712 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544850152.163:1909): avc: denied { open } for pid=25711 comm="ganesha.nfsd" path="/proc/25711/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.294:1590): avc: denied { connectto } for pid=23916 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.clara007.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket permissive=1', 'type=AVC msg=audit(1544850152.240:1912): avc: denied { connectto } for pid=25712 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.clara007.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket permissive=1', 'type=AVC msg=audit(1544849893.298:1591): avc: denied { open } for pid=23916 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.298:1591): avc: denied { search } for pid=23916 comm="ganesha.nfsd" name="ceph-rgw.clara007" dev="sda1" ino=395372 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1544850152.163:1909): avc: denied { read } for pid=25711 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.253:1589): avc: denied { open } for pid=23916 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-clara007.log" dev="sda1" ino=395379 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.443:1841): avc: denied { connectto } for pid=24880 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.clara007.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket permissive=1', 'type=AVC msg=audit(1544850152.164:1910): avc: denied { getattr } for pid=25711 comm="ganesha.nfsd" path="/proc/25711/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.366:1839): avc: denied { getattr } for pid=24879 comm="ganesha.nfsd" path="/proc/24879/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.366:1838): avc: denied { read } for pid=24879 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.217:1588): avc: denied { getattr } for pid=23915 comm="ganesha.nfsd" path="/proc/23915/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.447:1842): avc: denied { read } for pid=24880 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.216:1587): avc: denied { open } for pid=23915 comm="ganesha.nfsd" path="/proc/23915/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544850152.244:1914): avc: denied { getattr } for pid=25712 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.298:1591): avc: denied { read } for pid=23916 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544850152.199:1911): avc: denied { open } for pid=25712 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-clara007.log" dev="sda1" ino=395379 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.216:1587): avc: denied { read } for pid=23915 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.447:1842): avc: denied { search } for pid=24880 comm="ganesha.nfsd" name="ceph-rgw.clara007" dev="sda1" ino=395372 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1']
Comment 56 errata-xmlrpc 2020-06-10 15:44:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2488
Note You need to log in before you can comment on or make changes to this bug.