Bug 1794027 - TASK [ceph-nfs : start nfs gateway service] failed on FIPS enabled cluster
Summary: TASK [ceph-nfs : start nfs gateway service] failed on FIPS enabled cluster
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: 8.3
Assignee: Zdenek Pytela
QA Contact: Vasishta
Bara Ancincova
Depends On:
Blocks: 1730176
TreeView+ depends on / blocked
Reported: 2020-01-22 14:18 UTC by Sunil Kumar Nagaraju
Modified: 2021-05-07 18:15 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.Ansible cannot start NFS Ganesha if SELinux is in enforcing mode When using SELinux in enforcing mode on {rhel} 8.1, the `ceph-ansible` utility fails to start the NFS Ganesha service because SELinux policy currently does not allow creating a directory required for NFS Ganesha.
Clone Of:
Last Closed: 2021-05-07 18:15:10 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Comment 13 Zdenek Pytela 2020-06-05 15:44:58 UTC

I see the scenario works in permissive mode where the AVC denials are also audited. Did you manage to gather the denials with the ausearch command as suggested in c#11?

Comment 16 Zdenek Pytela 2020-06-19 15:49:34 UTC
The AVC from the first attachment is allowed in the current policy version, please use selinux-policy-3.14.3-45.el8.noarch to verify. If yes, we can switch the component to ceph.

The second attachment contain 2 denials which need to be addressed in the ceph policy:
- ms_dispatch stating /proc/kcore: is it sufficient to dontaudit this access, i. e. do not allow, but it will not be audited?
- ceph-mgr wants to search the httpd configuration directory; there does not seem to exist though what is it looking for

Comment 18 Josh Durgin 2020-06-26 22:01:14 UTC
Yes, we can use the latest selinux-policy to verify this. The further 2 selinux denials in ceph are addressed by separate BZs: https://bugzilla.redhat.com/show_bug.cgi?id=1828232 and https://bugzilla.redhat.com/show_bug.cgi?id=1829758

Comment 21 Zdenek Pytela 2021-05-07 18:15:10 UTC
Verified the permision is present in current release of RHEL:

sesearch -A -s init_t -t var_lib_nfs_t -c dir -p create
allow init_t non_security_file_type:dir { create getattr }; [ init_create_dirs ]:True

Based on the previous information closing this bz.

Note You need to log in before you can comment on or make changes to this bug.