Bug 1828232 - SELinux denials observed against ceph-mgr
Summary: SELinux denials observed against ceph-mgr
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RADOS
Version: 4.1
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: z1
: 4.1
Assignee: Brad Hubbard
QA Contact: Manohar Murthy
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-27 11:31 UTC by Tejas
Modified: 2020-07-20 14:21 UTC (History)
10 users (show)

Fixed In Version: ceph-14.2.8-71.el8cp, ceph-14.2.8-71.el7cp
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-20 14:21:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 44216 0 None None None 2020-04-27 21:39:48 UTC
Red Hat Product Errata RHSA-2020:3003 0 None None None 2020-07-20 14:21:27 UTC

Description Tejas 2020-04-27 11:31:32 UTC 
Description of problem:

During our teuthology runs ,we are seeing multiple selinux denials against ceph-mgr . I will attach the audit log with this BZ.
Log Path :
http://magna002.ceph.redhat.com/rakesh-2020-04-23_02:10:45-rgw:nfs-ganesha-rgw-v2-nautilus-distro-basic-clara/373180/teuthology.log
http://pulpito.ceph.redhat.com/rakesh-2020-04-23_02:10:45-rgw:nfs-ganesha-rgw-v2-nautilus-distro-basic-clara/


Details:
2020-04-23T04:57:17.330 INFO:teuthology.orchestra.run.clara007.stdout:type=AVC msg=audit(1587631425.697:873): avc:  denied  { search } for  pid=11421 comm="ceph-mgr" name="httpd" dev="sda1" ino=398004 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
2020-04-23T04:57:17.331 INFO:teuthology.orchestra.run.clara007.stdout:type=AVC msg=audit(1587631428.994:885): avc:  denied  { search } for  pid=11421 comm="ceph-mgr" name="httpd" dev="sda1" ino=398004 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
2020-04-23T04:57:17.331 DEBUG:teuthology.task.selinux:ubuntu.redhat.com has 2 denials
2020-04-23T04:57:17.332 INFO:teuthology.orchestra.run.clara008:Running:
2020-04-23T04:57:17.332 INFO:teuthology.orchestra.run.clara008:> sudo grep 'avc: .*denied' /var/log/audit/audit.log | grep -v '\(comm="dmidecode"\|chronyd.service\|name="cephtest"\|scontext=system_u:system_r:nrpe_t:s0\|scontext=system_u:system_r:pcp_pmlogger_t\|scontext=system_u:system_r:pcp_pmcd_t:s0\|comm="rhsmd"\|scontext=system_u:system_r:syslogd_t:s0\|tcontext=system_u:system_r:nrpe_t:s0\|comm="updatedb"\|comm="smartd"\|/home/ubuntu/cephtest/\|/var/lib/ceph/tmp/ceph-disk.activate.lock\|comm="sh"\|comm="mgr-fin"\|comm="msgr-worker-1"\|comm="rpm"\|comm="setroubleshootd"\|comm="rhsmcertd-worke"\)'
2020-04-23T04:57:17.401 DEBUG:teuthology.orchestra.run:got remote process result: 1
2020-04-23T04:57:17.402 INFO:teuthology.orchestra.run.clara010:Running:
2020-04-23T04:57:17.402 INFO:teuthology.orchestra.run.clara010:> sudo grep 'avc: .*denied' /var/log/audit/audit.log | grep -v '\(comm="dmidecode"\|chronyd.service\|name="cephtest"\|scontext=system_u:system_r:nrpe_t:s0\|scontext=system_u:system_r:pcp_pmlogger_t\|scontext=system_u:system_r:pcp_pmcd_t:s0\|comm="rhsmd"\|scontext=system_u:system_r:syslogd_t:s0\|tcontext=system_u:system_r:nrpe_t:s0\|comm="updatedb"\|comm="smartd"\|/home/ubuntu/cephtest/\|/var/lib/ceph/tmp/ceph-disk.activate.lock\|comm="sh"\|comm="mgr-fin"\|comm="msgr-worker-1"\|comm="rpm"\|comm="setroubleshootd"\|comm="rhsmcertd-worke"\)'
2020-04-23T04:57:17.472 DEBUG:teuthology.orchestra.run:got remote process result: 1
2020-04-23T04:57:17.472 INFO:teuthology.orchestra.run.clara014:Running:
2020-04-23T04:57:17.473 INFO:teuthology.orchestra.run.clara014:> sudo grep 'avc: .*denied' /var/log/audit/audit.log | grep -v '\(comm="dmidecode"\|chronyd.service\|name="cephtest"\|scontext=system_u:system_r:nrpe_t:s0\|scontext=system_u:system_r:pcp_pmlogger_t\|scontext=system_u:system_r:pcp_pmcd_t:s0\|comm="rhsmd"\|scontext=system_u:system_r:syslogd_t:s0\|tcontext=system_u:system_r:nrpe_t:s0\|comm="updatedb"\|comm="smartd"\|/home/ubuntu/cephtest/\|/var/lib/ceph/tmp/ceph-disk.activate.lock\|comm="sh"\|comm="mgr-fin"\|comm="msgr-worker-1"\|comm="rpm"\|comm="setroubleshootd"\|comm="rhsmcertd-worke"\)'
2020-04-23T04:57:17.541 INFO:teuthology.orchestra.run.clara014.stdout:type=USER_AVC msg=audit(1587631965.895:1736): pid=2247 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.303 spid=15440 tpid=15443 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
2020-04-23T04:57:17.542 DEBUG:teuthology.task.selinux:ubuntu.redhat.com has 1 denials
2020-04-23T04:57:17.543 INFO:teuthology.orchestra.run.clara001:Running:
2020-04-23T04:57:17.543 INFO:teuthology.orchestra.run.clara001:> sudo grep 'avc: .*denied' /var/log/audit/audit.log | grep -v '\(comm="dmidecode"\|chronyd.service\|name="cephtest"\|scontext=system_u:system_r:nrpe_t:s0\|scontext=system_u:system_r:pcp_pmlogger_t\|scontext=system_u:system_r:pcp_pmcd_t:s0\|comm="rhsmd"\|scontext=system_u:system_r:syslogd_t:s0\|tcontext=system_u:system_r:nrpe_t:s0\|comm="updatedb"\|comm="smartd"\|/home/ubuntu/cephtest/\|/var/lib/ceph/tmp/ceph-disk.activate.lock\|comm="sh"\|comm="mgr-fin"\|comm="msgr-worker-1"\|comm="rpm"\|comm="setroubleshootd"\|comm="rhsmcertd-worke"\)'
2020-04-23T04:57:17.613 DEBUG:teuthology.orchestra.run:got remote process result: 1
2020-04-23T04:57:17.614 ERROR:teuthology.run_tasks:Manager failed: selinux
Traceback (most recent call last):
  File "/home/teuthworker/src/git.ceph.com_git_teuthology_rh/teuthology/run_tasks.py", line 159, in run_tasks
    suppress = manager.__exit__(*exc_info)
  File "/home/teuthworker/src/git.ceph.com_git_teuthology_rh/teuthology/task/__init__.py", line 136, in __exit__
    self.teardown()
  File "/home/teuthworker/src/git.ceph.com_git_teuthology_rh/teuthology/task/selinux.py", line 150, in teardown
    self.get_new_denials()
  File "/home/teuthworker/src/git.ceph.com_git_teuthology_rh/teuthology/task/selinux.py", line 200, in get_new_denials
    denials=new_denials[remote.name])
SELinuxError: SELinux denials found on ubuntu.redhat.com: ['type=AVC msg=audit(1587631425.697:873): avc:  denied  { search } for  pid=11421 comm="ceph-mgr" name="httpd" dev="sda1" ino=398004 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1587631428.994:885): avc:  denied  { search } for  pid=11421 comm="ceph-mgr" name="httpd" dev="sda1" ino=398004 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1']
Comment 11 errata-xmlrpc 2020-07-20 14:21:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3003
Note You need to log in before you can comment on or make changes to this bug.