I see the scenario works in permissive mode where the AVC denials are also audited. Did you manage to gather the denials with the ausearch command as suggested in c#11?
The AVC from the first attachment is allowed in the current policy version, please use selinux-policy-3.14.3-45.el8.noarch to verify. If yes, we can switch the component to ceph.
The second attachment contain 2 denials which need to be addressed in the ceph policy:
- ms_dispatch stating /proc/kcore: is it sufficient to dontaudit this access, i. e. do not allow, but it will not be audited?
- ceph-mgr wants to search the httpd configuration directory; there does not seem to exist though what is it looking for
Yes, we can use the latest selinux-policy to verify this. The further 2 selinux denials in ceph are addressed by separate BZs: https://bugzilla.redhat.com/show_bug.cgi?id=1828232 and https://bugzilla.redhat.com/show_bug.cgi?id=1829758