Bug 1794027 - TASK [ceph-nfs : start nfs gateway service] failed on FIPS enabled cluster
Summary: TASK [ceph-nfs : start nfs gateway service] failed on FIPS enabled cluster
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: Unspecified
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Vasishta
Bara Ancincova
URL:
Whiteboard:
Depends On:
Blocks: 1730176
TreeView+ depends on / blocked
 
Reported: 2020-01-22 14:18 UTC by Sunil Kumar Nagaraju
Modified: 2020-10-15 18:14 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.Ansible cannot start NFS Ganesha if SELinux is in enforcing mode When using SELinux in enforcing mode on {rhel} 8.1, the `ceph-ansible` utility fails to start the NFS Ganesha service because SELinux policy currently does not allow creating a directory required for NFS Ganesha.
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Comment 13 Zdenek Pytela 2020-06-05 15:44:58 UTC
Sunil,

I see the scenario works in permissive mode where the AVC denials are also audited. Did you manage to gather the denials with the ausearch command as suggested in c#11?

Comment 16 Zdenek Pytela 2020-06-19 15:49:34 UTC
The AVC from the first attachment is allowed in the current policy version, please use selinux-policy-3.14.3-45.el8.noarch to verify. If yes, we can switch the component to ceph.

The second attachment contain 2 denials which need to be addressed in the ceph policy:
- ms_dispatch stating /proc/kcore: is it sufficient to dontaudit this access, i. e. do not allow, but it will not be audited?
- ceph-mgr wants to search the httpd configuration directory; there does not seem to exist though what is it looking for

Comment 18 Josh Durgin 2020-06-26 22:01:14 UTC
Yes, we can use the latest selinux-policy to verify this. The further 2 selinux denials in ceph are addressed by separate BZs: https://bugzilla.redhat.com/show_bug.cgi?id=1828232 and https://bugzilla.redhat.com/show_bug.cgi?id=1829758


Note You need to log in before you can comment on or make changes to this bug.