Project

General

Profile

Bug #16674

SELinux is preventing /usr/bin/ceph-osd from read access on the file blkid.tab

Added by Emilien Macchi about 1 year ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
07/13/2016
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Release:
jewel
Needs Doc:
No

Description

SELinux is preventing /usr/bin/ceph-osd from read access on the file blkid.tab.
  • Plugin catchall (100. confidence) suggests ******************
    Additional Information:
    Source Context system_u:system_r:ceph_t:s0
    Target Context unconfined_u:object_r:var_run_t:s0
    Target Objects blkid.tab [ file ]
    Source fn_anonymous
    Source Path /usr/bin/ceph-osd
    Port <Unknown>
    Host <Unknown>
    Source RPM Packages ceph-osd-10.2.2-0.el7.x86_64
    Target RPM Packages
    Policy RPM selinux-policy-3.13.1-60.el7_2.7.noarch
    Selinux Enabled True
    Policy Type targeted
    Enforcing Mode Permissive
    Host Name centos-7-rax-ord-2477790
    Platform Linux centos-7-rax-ord-2477790 3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 23
    17:05:11 UTC 2016 x86_64 x86_64
    Alert Count 1
    First Seen 2016-07-13 12:22:24 UTC
    Last Seen 2016-07-13 12:22:24 UTC
    Local ID f38da50b-05ca-476e-92d2-fbadd0ae4f83
    Raw Audit Messages
    type=AVC msg=audit(1468412544.864:1161): avc: denied { read } for pid=10961 comm="fn_anonymous" name="blkid.tab" dev="tmpfs" ino=68925 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
    type=SYSCALL msg=audit(1468412544.864:1161): arch=x86_64 syscall=open success=yes exit=ESPIPE a0=7f91c7b6fc20 a1=80000 a2=3 a3=7f91a10c4eb0 items=0 ppid=1 pid=10961 auid=4294967295 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=167 sgid=167 fsgid=167 tty=(none) ses=4294967295 comm=fn_anonymous exe=/usr/bin/ceph-osd subj=system_u:system_r:ceph_t:s0 key=(null)
    Hash: fn_anonymous,ceph_t,var_run_t,file,read

Deploying Ceph Jewel on CentOS7 using:
buildlogs.centos.org/centos/7/storage/x86_64/ceph-jewel/

ceph-common-10.2.2-0.el7.x86_64
ceph-selinux-10.2.2-0.el7.x86_64
ceph-10.2.2-0.el7.x86_64
ceph-osd-10.2.2-0.el7.x86_64

History

#1 Updated by Boris Ranto about 1 year ago

This happens because we use a default location for blkid cache (src/common/blkdev.cc):

205 if (blkid_get_cache(&cache, NULL) >= 0)

We should probably use a different location which we have already labelled properly for this.

#2 Updated by Nathan Cutler 12 months ago

  • Target version deleted (519)

#3 Updated by Josh Durgin 2 months ago

  • Status changed from New to Need More Info
  • Assignee set to Boris Ranto

Boris, is this still an issue?

#4 Updated by Boris Ranto about 2 months ago

The code is still there. We already allow write on other caps on var_run_t so adding read does not seem like too much of an issue.

I have created a PR to add it:

https://github.com/ceph/ceph/pull/15523

#5 Updated by Boris Ranto about 2 months ago

  • Status changed from Need More Info to In Progress

#6 Updated by Sage Weil about 2 months ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF