Bug #14871
selinux: handle lock files better
% Done:
0%
Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
We are hitting a couple of denials like these. This suggests that our policy does not label the lock files properly and we should fix that.
type=AVC msg=audit(1454633044.929:3772): avc: denied { read } for pid=21665 comm="ceph-osd" path="/run/lock/ceph-disk" dev="tmpfs" ino=86917 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1454632968.211:3627): avc: denied { read } for pid=19972 comm="ceph-osd" path="/run/lock/ceph-disk" dev="tmpfs" ino=86917 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file' type=AVC msg=audit(1454633046.524:3780): avc: denied { read } for pid=21833 comm="ceph-osd" path="/run/lock/ceph-disk" dev="tmpfs" ino=86917 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1454632969.542:3632): avc: denied { read } for pid=20090 comm="ceph-osd" path="/run/lock/ceph-disk" dev="tmpfs" ino=86917 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
Related issues
History
#1 Updated by Boris Ranto about 8 years ago
- Copied from Bug #14660: selinux denials during rbd test run added
#2 Updated by Boris Ranto about 8 years ago
The '/run/lock/ceph-disk' path is actually a '/var/lock/ceph-disk' in the source code. The '/var/lock' directory is a symlink to '/run/lock' on fedora and rhel (at least rhel 7). It is created by the ceph-disk@service and was introduced in
https://github.com/dachary/ceph/commit/f0a47578c7c4521d7cf50e9419620ddb629736f5
We should probably change the /var/lock/ceph-disk to /run/lock/ceph-disk (or even /run/lock/ceph/ceph-disk) and modify the SELinux policy to label the file (dir) properly.
#3 Updated by Boris Ranto about 8 years ago
- Status changed from New to Resolved
This should be resolved in latest master.