Description of problem: in RHCS deployments using ceph-ansible, we used to add the selinux domain 'ganesha_t' to permissive mode because it has to access contents in /var/lib/ceph (which belongs to ceph_var_lib_t) for instance. in very recent builds of nfs-ganesha, it looks like something has changed regarding nfs-ganesha selinux policies which prevent ceph-ansible from starting nfs-ganesha. # grep denied /var/log/audit/audit.log type=AVC msg=audit(1641981985.502:2845): avc: denied { search } for pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1641981985.503:2848): avc: denied { search } for pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1641981985.503:2849): avc: denied { search } for pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0 # semanage permissive -a ganesha_t Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/ganesha/cil:32 OSError: [Errno 0] Error # audit2allow -w -a type=AVC msg=audit(1641981985.502:2845): avc: denied { search } for pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1641981985.503:2848): avc: denied { search } for pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1641981985.503:2849): avc: denied { search } for pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. # audit2allow -a #============= ganesha_t ============== allow ganesha_t ceph_var_lib_t:dir search;
I suspect the same issue will show up with /run/ceph
(In reply to Guillaume Abrioux from comment #1) > I suspect the same issue will show up with /run/ceph # setenforce 0 # getenforce Permissive # tail -F /var/log/audit/audit.log | grep denied type=AVC msg=audit(1642062810.007:3172): avc: denied { search } for pid=33149 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1642062810.007:3172): avc: denied { search } for pid=33149 comm="ganesha.nfsd" name="ceph-rgw.nfs0" dev="vda1" ino=25703808 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1642062810.007:3172): avc: denied { read } for pid=33149 comm="ganesha.nfsd" name="keyring" dev="vda1" ino=25703815 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1642062810.007:3172): avc: denied { open } for pid=33149 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.nfs0/keyring" dev="vda1" ino=25703815 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1642062810.007:3173): avc: denied { getattr } for pid=33149 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.nfs0/keyring" dev="vda1" ino=25703815 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1642062810.012:3174): avc: denied { write } for pid=33149 comm="ganesha.nfsd" name="ceph" dev="tmpfs" ino=61434 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1642062810.012:3174): avc: denied { add_name } for pid=33149 comm="ganesha.nfsd" name="ceph-client.rgw.nfs0.33149.29927072.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1642062810.012:3174): avc: denied { create } for pid=33149 comm="ganesha.nfsd" name="ceph-client.rgw.nfs0.33149.29927072.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_run_t:s0 tclass=sock_file permissive=1 # audit2allow -a #============= ganesha_t ============== allow ganesha_t ceph_var_lib_t:dir search; allow ganesha_t ceph_var_lib_t:file { getattr open read }; allow ganesha_t ceph_var_run_t:dir { add_name write }; allow ganesha_t ceph_var_run_t:sock_file create;
see https://bugzilla.redhat.com/show_bug.cgi?id=1855350, for which this change https://review.gerrithub.io/c/ffilz/nfs-ganesha/+/528685/2/src/selinux/ganesha.te#b196 (or see https://github.com/nfs-ganesha/nfs-ganesha/blob/next/src/selinux/ganesha.te) was made. But now when running users are seeing the AVCs in comment #2 above. I looked at ceph's selinux bits in https://github.com/ceph/ceph/blob/master/selinux/ceph.if and I guess it may also need to conditionally apply one or the other or both ceph_manage_lib_dirs and ceph_manage_lib_files. Or maybe something else. I really don't know my way around the policy devel files to tell what the correct fix would be. Zdenek, can you please recommend the correct fix here? thanks.
In ceph.if, there is the read_files_pattern() interface which expands to: $ macro-expander 'read_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)' allow $1 ceph_var_lib_t:dir { getattr search open }; allow $1 ceph_var_lib_t:file { open { getattr read ioctl lock } }; which addresses the first two lines packed by audit2allow. For the other two, a new interface ceph_manage_pid_sock_files() needs to be created: ###################################### ## <summary> ## Manage ceph PID socket files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ceph_manage_pid_sock_files',` gen_require(` type ceph_var_run_t; ') files_search_pids($1) manage_sock_files_pattern($1, ceph_var_run_t, ceph_var_run_t) ') See: $ macro-expander 'manage_sock_files_pattern($1, ceph_var_run_t, ceph_var_run_t)' allow $1 ceph_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write }; allow $1 ceph_var_run_t:sock_file { create open getattr setattr read write rename link unlink ioctl lock append };