Project

General

Profile

Bug #14871

selinux: handle lock files better

Added by Boris Ranto about 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

We are hitting a couple of denials like these. This suggests that our policy does not label the lock files properly and we should fix that.

type=AVC msg=audit(1454633044.929:3772): avc:  denied  { read } for  pid=21665 comm="ceph-osd" path="/run/lock/ceph-disk" dev="tmpfs" ino=86917 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1454632968.211:3627): avc:  denied  { read } for  pid=19972 comm="ceph-osd" path="/run/lock/ceph-disk" dev="tmpfs" ino=86917 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file'
type=AVC msg=audit(1454633046.524:3780): avc:  denied  { read } for  pid=21833 comm="ceph-osd" path="/run/lock/ceph-disk" dev="tmpfs" ino=86917 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1454632969.542:3632): avc:  denied  { read } for  pid=20090 comm="ceph-osd" path="/run/lock/ceph-disk" dev="tmpfs" ino=86917 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file

Related issues

Copied from Ceph - Bug #14660: selinux denials during rbd test run Closed 02/05/2016

History

#1 Updated by Boris Ranto about 8 years ago

  • Copied from Bug #14660: selinux denials during rbd test run added

#2 Updated by Boris Ranto about 8 years ago

The '/run/lock/ceph-disk' path is actually a '/var/lock/ceph-disk' in the source code. The '/var/lock' directory is a symlink to '/run/lock' on fedora and rhel (at least rhel 7). It is created by the ceph-disk@service and was introduced in

https://github.com/dachary/ceph/commit/f0a47578c7c4521d7cf50e9419620ddb629736f5

We should probably change the /var/lock/ceph-disk to /run/lock/ceph-disk (or even /run/lock/ceph/ceph-disk) and modify the SELinux policy to label the file (dir) properly.

#3 Updated by Boris Ranto about 8 years ago

  • Status changed from New to Resolved

This should be resolved in latest master.

Also available in: Atom PDF