Description of problem: a) setup nfs ganesha using ceph-ansible and run couple nfs tests b) we see below denials 2018-06-23T00:28:15.595 DEBUG:teuthology.run_tasks:Exception was not quenched, exiting: SELinuxError: SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1529727695.925:3037): avc: denied { search } for pid=26596 comm="ganesha.nfsd" name="ceph-rgw.pluto008" dev="sda1" ino=524294 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir', 'type=AVC msg=audit(1529727695.901:3035): avc: denied { open } for pid=26596 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-pluto008.log" dev="sda1" ino=395647 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.925:3037): avc: denied { read } for pid=26596 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.067:3349): avc: denied { read } for pid=28459 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.925:3038): avc: denied { getattr } for pid=26596 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.516:3292): avc: denied { open } for pid=27680 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-pluto008.log" dev="sda1" ino=395647 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.492:3291): avc: denied { getattr } for pid=27679 comm="ganesha.nfsd" path="/proc/27679/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.540:3295): avc: denied { getattr } for pid=27680 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.925:3037): avc: denied { open } for pid=26596 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.492:3290): avc: denied { open } for pid=27679 comm="ganesha.nfsd" path="/proc/27679/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.068:3350): avc: denied { getattr } for pid=28459 comm="ganesha.nfsd" path="/proc/28459/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.090:3351): avc: denied { open } for pid=28460 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-pluto008.log" dev="sda1" ino=395647 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.115:3353): avc: denied { open } for pid=28460 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.878:3033): avc: denied { read } for pid=26595 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.540:3294): avc: denied { read } for pid=27680 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.115:3353): avc: denied { read } for pid=28460 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.878:3033): avc: denied { open } for pid=26595 comm="ganesha.nfsd" path="/proc/26595/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727724.491:3115): avc: denied { block_suspend } for pid=27040 comm="msgr-worker-1" capability=36 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability2', 'type=AVC msg=audit(1529727737.492:3290): avc: denied { read } for pid=27679 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.115:3354): avc: denied { getattr } for pid=28460 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.540:3294): avc: denied { search } for pid=27680 comm="ganesha.nfsd" name="ceph-rgw.pluto008" dev="sda1" ino=524294 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir', 'type=AVC msg=audit(1529727737.540:3294): avc: denied { open } for pid=27680 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.pluto008/keyring" dev="sda1" ino=524296 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file', 'type=AVC msg=audit(1529727695.878:3034): avc: denied { getattr } for pid=26595 comm="ganesha.nfsd" path="/proc/26595/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727828.112:3352): avc: denied { connectto } for pid=28460 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.pluto008.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket', 'type=AVC msg=audit(1529727737.537:3293): avc: denied { connectto } for pid=27680 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.pluto008.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket', 'type=AVC msg=audit(1529727828.115:3355): avc: denied { name_connect } for pid=28460 comm="msgr-worker-1" dest=6789 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:cyphesis_port_t:s0 tclass=tcp_socket', 'type=AVC msg=audit(1529727695.922:3036): avc: denied { connectto } for pid=26596 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.pluto008.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket', 'type=AVC msg=audit(1529727828.067:3349): avc: denied { open } for pid=28459 comm="ganesha.nfsd" path="/proc/28459/net/psched" dev="proc" ino=4026531993 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC msg=audit(1529727737.541:3296): avc: denied { name_connect } for pid=27680 comm="msgr-worker-1" dest=6789 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:cyphesis_port_t:s0 tclass=tcp_socket', 'type=AVC msg=audit(1529727695.926:3039): avc: denied { name_connect } for pid=26596 comm="msgr-worker-1" dest=6789 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:cyphesis_port_t:s0 tclass=tcp_socket']
Please confirm this is still an issue in RHCS 3.1
we are running some tests this week and should be able to confirm in next 2 days.
This has failed qa, one of the test http://pulpito.ceph.redhat.com/rakesh-2018-08-01_00:53:21-rgw:nfs-ganesha-rgw-v2-luminous-distro-basic-multi/305519/
Is this still happening on 3.2 ? What version of RHEL are 3.0 and 3.2 based on?
Folks, This is still an issue with recent builds and its not yet fixed.
The usual drill is set selinux to permissive. Rerun the test(s). Collect /var/log/audit/audit.log and the output of `audit2allow -a` and send them to the selinux team (in a BZ). even though ganesha ran without an AVCs in RHGS-3.4 testing there are still customers seeing AVCs that didn't appear during the QE cycle.
Created attachment 1509512 [details] audit.log
No, no issues with that. AFAIK that's the way to do it.
Tested in 12.2.8-52.el7cp with selinux in permissive mode. Seeing the below denials. SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1544850152.244:1913): avc: denied { search } for pid=25712 comm="ganesha.nfsd" name="ceph-rgw.clara007" dev="sda1" ino=395372 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1544849948.447:1843): avc: denied { getattr } for pid=24880 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544850152.244:1913): avc: denied { open } for pid=25712 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.366:1838): avc: denied { open } for pid=24879 comm="ganesha.nfsd" path="/proc/24879/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.402:1840): avc: denied { open } for pid=24880 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-clara007.log" dev="sda1" ino=395379 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.447:1842): avc: denied { open } for pid=24880 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.299:1592): avc: denied { getattr } for pid=23916 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544850152.244:1913): avc: denied { read } for pid=25712 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544850152.163:1909): avc: denied { open } for pid=25711 comm="ganesha.nfsd" path="/proc/25711/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.294:1590): avc: denied { connectto } for pid=23916 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.clara007.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket permissive=1', 'type=AVC msg=audit(1544850152.240:1912): avc: denied { connectto } for pid=25712 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.clara007.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket permissive=1', 'type=AVC msg=audit(1544849893.298:1591): avc: denied { open } for pid=23916 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.298:1591): avc: denied { search } for pid=23916 comm="ganesha.nfsd" name="ceph-rgw.clara007" dev="sda1" ino=395372 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1544850152.163:1909): avc: denied { read } for pid=25711 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.253:1589): avc: denied { open } for pid=23916 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-clara007.log" dev="sda1" ino=395379 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.443:1841): avc: denied { connectto } for pid=24880 comm="ganesha.nfsd" path="/run/ceph/ceph-client.rgw.clara007.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=unix_stream_socket permissive=1', 'type=AVC msg=audit(1544850152.164:1910): avc: denied { getattr } for pid=25711 comm="ganesha.nfsd" path="/proc/25711/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.366:1839): avc: denied { getattr } for pid=24879 comm="ganesha.nfsd" path="/proc/24879/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.366:1838): avc: denied { read } for pid=24879 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.217:1588): avc: denied { getattr } for pid=23915 comm="ganesha.nfsd" path="/proc/23915/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.447:1842): avc: denied { read } for pid=24880 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.216:1587): avc: denied { open } for pid=23915 comm="ganesha.nfsd" path="/proc/23915/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544850152.244:1914): avc: denied { getattr } for pid=25712 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara007/keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.298:1591): avc: denied { read } for pid=23916 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=395373 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544850152.199:1911): avc: denied { open } for pid=25712 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-clara007.log" dev="sda1" ino=395379 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_log_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849893.216:1587): avc: denied { read } for pid=23915 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1544849948.447:1842): avc: denied { search } for pid=24880 comm="ganesha.nfsd" name="ceph-rgw.clara007" dev="sda1" ino=395372 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1']
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2488