Project

General

Profile

Bug #16126

selinux denials in RGW

Added by John Spray almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Target version:
-
Start date:
06/02/2016
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

From a test branch running fs suite based on yesterday's master.

http://qa-proxy.ceph.com/teuthology/jspray-2016-06-02_01:58:41-fs-wip-jcsp-testing-20160601---basic-mira/230139/teuthology.log

2016-06-02T02:40:55.252 ERROR:teuthology.run_tasks:Manager failed: selinux
Traceback (most recent call last):
  File "/home/teuthworker/src/teuthology_master/teuthology/run_tasks.py", line 139, in run_tasks
    suppress = manager.__exit__(*exc_info)
  File "/home/teuthworker/src/teuthology_master/teuthology/task/__init__.py", line 134, in __exit__
    self.teardown()
  File "/home/teuthworker/src/teuthology_master/teuthology/task/selinux.py", line 144, in teardown
    self.get_new_denials()
  File "/home/teuthworker/src/teuthology_master/teuthology/task/selinux.py", line 192, in get_new_denials
    denials=new_denials[remote.name])
SELinuxError: SELinux denials found on ubuntu@mira061.front.sepia.ceph.com: ['type=AVC msg=audit(1464859531.364:3604): avc:  denied  { chown } for  pid=19750 comm="radosgw" capability=0  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability', 'type=AVC msg=audit(1464859531.413:3605): avc:  denied  { setattr } for  pid=19750 comm="radosgw" name="ceph-client.rgw.mira061.asok" dev="tmpfs" ino=75922 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:ceph_var_run_t:s0 tclass=sock_file', 'type=AVC msg=audit(1464859532.172:3627): avc:  denied  { setattr } for  pid=19810 comm="radosgw" name="ceph-client.rgw.mira061.asok" dev="tmpfs" ino=75247 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:ceph_var_run_t:s0 tclass=sock_file']

Related issues

Duplicated by rgw - Bug #16270: avc: denied { chown } for pid=31296 comm="radosgw" capability=0 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability Duplicate 06/13/2016
Copied to rgw - Backport #16312: jewel: selinux denials in RGW Resolved

History

#3 Updated by Greg Farnum almost 3 years ago

  • Assignee set to Boris Ranto
  • Priority changed from Normal to High

I think Boris has dealt with all of these in the past, right?

#4 Updated by Boris Ranto almost 3 years ago

I think we should just add these two:

https://github.com/ceph/ceph/pull/9669

#5 Updated by Kefu Chai almost 3 years ago

  • Status changed from New to Need Review

#6 Updated by Nathan Cutler almost 3 years ago

  • Related to Bug #16270: avc: denied { chown } for pid=31296 comm="radosgw" capability=0 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability added

#7 Updated by John Spray almost 3 years ago

  • Status changed from Need Review to Pending Backport
  • Backport set to jewel

#8 Updated by Nathan Cutler almost 3 years ago

  • Related to deleted (Bug #16270: avc: denied { chown } for pid=31296 comm="radosgw" capability=0 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability)

#9 Updated by Nathan Cutler almost 3 years ago

  • Duplicated by Bug #16270: avc: denied { chown } for pid=31296 comm="radosgw" capability=0 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability added

#10 Updated by Nathan Cutler almost 3 years ago

#12 Updated by Loic Dachary over 2 years ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF