Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2044381

Summary: selinux: domain ganesha_t can't be added to permissive mode
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Kaleb KEITHLEY <kkeithle>
Component: SecurityAssignee: Guillaume Abrioux <gabrioux>
Status: CLOSED EOL QA Contact: Veera Raghava Reddy <vereddy>
Severity: high Docs Contact:
Priority: high    
Version: 4.3CC: amctagga, ceph-eng-bugs, gabrioux, kkeithle, mbenjamin, sostapov, vimishra, vmojzis, zpytela
Target Milestone: ---Keywords: SELinux
Target Release: Backlog   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2040185 Environment:
Last Closed: 2025-11-20 07:45:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2040185    
Bug Blocks:    

Description Kaleb KEITHLEY 2022-01-24 13:45:37 UTC 
+++ This bug was initially created as a clone of Bug #2040185 +++

Description of problem:

in RHCS deployments using ceph-ansible, we used to add the selinux domain 'ganesha_t' to permissive mode because it has to access contents in /var/lib/ceph (which belongs to ceph_var_lib_t) for instance.

in very recent builds of nfs-ganesha, it looks like something has changed regarding nfs-ganesha selinux policies which prevent ceph-ansible from starting nfs-ganesha.


# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1641981985.502:2845): avc:  denied  { search } for  pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1641981985.503:2848): avc:  denied  { search } for  pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1641981985.503:2849): avc:  denied  { search } for  pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0

# semanage permissive -a ganesha_t
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/ganesha/cil:32
OSError: [Errno 0] Error


# audit2allow -w -a
type=AVC msg=audit(1641981985.502:2845): avc:  denied  { search } for  pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1641981985.503:2848): avc:  denied  { search } for  pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1641981985.503:2849): avc:  denied  { search } for  pid=31618 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.


# audit2allow -a


#============= ganesha_t ==============
allow ganesha_t ceph_var_lib_t:dir search;

--- Additional comment from Guillaume Abrioux on 2022-01-13 08:37:49 UTC ---

I suspect the same issue will show up with /run/ceph

--- Additional comment from Guillaume Abrioux on 2022-01-13 08:42:08 UTC ---

(In reply to Guillaume Abrioux from comment #1)
> I suspect the same issue will show up with /run/ceph

# setenforce 0
# getenforce
Permissive

# tail -F /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1642062810.007:3172): avc:  denied  { search } for  pid=33149 comm="ganesha.nfsd" name="ceph" dev="vda1" ino=25559977 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1642062810.007:3172): avc:  denied  { search } for  pid=33149 comm="ganesha.nfsd" name="ceph-rgw.nfs0" dev="vda1" ino=25703808 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1642062810.007:3172): avc:  denied  { read } for  pid=33149 comm="ganesha.nfsd" name="keyring" dev="vda1" ino=25703815 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642062810.007:3172): avc:  denied  { open } for  pid=33149 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.nfs0/keyring" dev="vda1" ino=25703815 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642062810.007:3173): avc:  denied  { getattr } for  pid=33149 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.nfs0/keyring" dev="vda1" ino=25703815 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642062810.012:3174): avc:  denied  { write } for  pid=33149 comm="ganesha.nfsd" name="ceph" dev="tmpfs" ino=61434 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1642062810.012:3174): avc:  denied  { add_name } for  pid=33149 comm="ganesha.nfsd" name="ceph-client.rgw.nfs0.33149.29927072.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1642062810.012:3174): avc:  denied  { create } for  pid=33149 comm="ganesha.nfsd" name="ceph-client.rgw.nfs0.33149.29927072.asok" scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:ceph_var_run_t:s0 tclass=sock_file permissive=1

# audit2allow -a
#============= ganesha_t ==============
allow ganesha_t ceph_var_lib_t:dir search;
allow ganesha_t ceph_var_lib_t:file { getattr open read };
allow ganesha_t ceph_var_run_t:dir { add_name write };
allow ganesha_t ceph_var_run_t:sock_file create;

--- Additional comment from Kaleb KEITHLEY on 2022-01-13 12:21:06 UTC ---

see https://bugzilla.redhat.com/show_bug.cgi?id=1855350, for which this change

https://review.gerrithub.io/c/ffilz/nfs-ganesha/+/528685/2/src/selinux/ganesha.te#b196
(or see https://github.com/nfs-ganesha/nfs-ganesha/blob/next/src/selinux/ganesha.te)

was made. But now when running users are seeing the AVCs in comment #2 above.

I looked at ceph's selinux bits in https://github.com/ceph/ceph/blob/master/selinux/ceph.if and I guess it may also need to conditionally apply one or the other or both ceph_manage_lib_dirs and ceph_manage_lib_files. Or maybe something else. I really don't know my way around the policy devel files to tell what the correct fix would be.

Zdenek, can you please recommend the correct fix here? thanks.

--- Additional comment from Zdenek Pytela on 2022-01-20 11:09:56 UTC ---

In ceph.if, there is the read_files_pattern() interface which expands to:

$ macro-expander 'read_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)'
allow $1 ceph_var_lib_t:dir { getattr search open };
allow $1 ceph_var_lib_t:file { open { getattr read ioctl lock } };

which addresses the first two lines packed by audit2allow.

For the other two, a new interface ceph_manage_pid_sock_files() needs to be created:

######################################
## <summary>
##      Manage ceph PID socket files.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`ceph_manage_pid_sock_files',`
        gen_require(`
                type ceph_var_run_t;
        ')

        files_search_pids($1)
        manage_sock_files_pattern($1, ceph_var_run_t, ceph_var_run_t)
')

See:
$ macro-expander 'manage_sock_files_pattern($1, ceph_var_run_t, ceph_var_run_t)'
allow $1 ceph_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write };
allow $1 ceph_var_run_t:sock_file { create open getattr setattr read write rename link unlink ioctl lock append };
Comment 1 Kaleb KEITHLEY 2022-01-31 17:37:01 UTC 
I already have a bz[1] for fixing nfs-ganesha-selinux.

ceph's selinux package needs some changes before I can fix ganesha's. This bz is for the additional policy needed in the ceph-selinux package — both upstream and downstream.






[1] https://bugzilla.redhat.com/show_bug.cgi?id=2040185
Comment 2 Scott Ostapovicz 2022-02-01 18:52:20 UTC 
Ok, so this is likely an issue with adm then.  Guillaume please take a look at this.
Comment 3 Vit Mojzis 2022-03-23 21:06:01 UTC 
The error reported by "semanage permissive -a ganesha_t" is probably caused by missing ceph policy module, see:

https://github.com/nfs-ganesha/nfs-ganesha/pull/803

To be sure, please run the following to see what semanage is complaining about:

# semanage permissive -a ganesha_t
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/ganesha/cil:32
OSError: [Errno 0] Error

# bzip2 -d /var/lib/selinux/packages/ganesha.pp.bz2
# sudo /usr/libexec/selinux/hll/pp /var/lib/selinux/packages/ganesha.pp >> ganesha.cil
# sed -n 32p ganesha.cil