Bug 1821602 - [RGW]: SElinux denials observed on teuthology multisite run
Summary: [RGW]: SElinux denials observed on teuthology multisite run
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW-Multisite
Version: 3.3
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: z5
: 3.3
Assignee: Kaleb KEITHLEY
QA Contact: Tejas
URL:
Whiteboard:
Depends On:
Blocks: 1822902
TreeView+ depends on / blocked
 
Reported: 2020-04-07 07:38 UTC by Tejas
Modified: 2020-06-10 15:44 UTC (History)
4 users (show)

Fixed In Version: RHEL: ceph-12.2.12-103.el7cp Ubuntu: ceph_12.2.12-98redhat1xenial
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1822902 (view as bug list)
Environment:
Last Closed: 2020-06-10 15:44:19 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 45022 0 None None None 2020-04-09 16:50:54 UTC
Github ceph ceph pull 34502 0 None closed Update ceph.te 2020-07-03 13:51:57 UTC
Github ceph ceph pull 34508 0 None closed selinux: add "type http_cache_port_t" in require section 2020-07-03 13:51:57 UTC
Red Hat Product Errata RHBA-2020:2488 0 None None None 2020-06-10 15:44:38 UTC

Description Tejas 2020-04-07 07:38:58 UTC 
Description of problem:
  ceph version 12.2.12-101.el7cp (20a4945f2321019ed50c1844b413059c07304074) luminous

On a teuthology multisite run, we see failures with multiple  selinux denials.

2020-04-06T05:26:47.732 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164501.591:3252): avc:  denied  { name_connect } for  pid=25545 comm="radosgw" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.733 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164773.692:139): avc:  denied  { name_connect } for  pid=2051 comm="meta-sync" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.733 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164773.692:140): avc:  denied  { name_connect } for  pid=2051 comm="data-sync" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.734 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164773.867:141): avc:  denied  { name_connect } for  pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.734 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164774.990:170): avc:  denied  { name_connect } for  pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.734 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164776.945:200): avc:  denied  { name_connect } for  pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.735 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164799.351:225): avc:  denied  { name_connect } for  pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.735 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164874.154:295): avc:  denied  { name_connect } for  pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.735 DEBUG:teuthology.task.selinux:ubuntu.redhat.com has 8 denials

selinux is set to permissive mode in this run.
Logs attached.
Comment 7 errata-xmlrpc 2020-06-10 15:44:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2488
Note You need to log in before you can comment on or make changes to this bug.