Actions
Bug #16674
closedSELinux is preventing /usr/bin/ceph-osd from read access on the file blkid.tab
% Done:
0%
Source:
other
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
SELinux is preventing /usr/bin/ceph-osd from read access on the file blkid.tab.
- Plugin catchall (100. confidence) suggests ******************
Additional Information:
Source Context system_u:system_r:ceph_t:s0
Target Context unconfined_u:object_r:var_run_t:s0
Target Objects blkid.tab [ file ]
Source fn_anonymous
Source Path /usr/bin/ceph-osd
Port <Unknown>
Host <Unknown>
Source RPM Packages ceph-osd-10.2.2-0.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7_2.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name centos-7-rax-ord-2477790
Platform Linux centos-7-rax-ord-2477790 3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 23
17:05:11 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-07-13 12:22:24 UTC
Last Seen 2016-07-13 12:22:24 UTC
Local ID f38da50b-05ca-476e-92d2-fbadd0ae4f83
Raw Audit Messages
type=AVC msg=audit(1468412544.864:1161): avc: denied { read } for pid=10961 comm="fn_anonymous" name="blkid.tab" dev="tmpfs" ino=68925 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1468412544.864:1161): arch=x86_64 syscall=open success=yes exit=ESPIPE a0=7f91c7b6fc20 a1=80000 a2=3 a3=7f91a10c4eb0 items=0 ppid=1 pid=10961 auid=4294967295 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=167 sgid=167 fsgid=167 tty=(none) ses=4294967295 comm=fn_anonymous exe=/usr/bin/ceph-osd subj=system_u:system_r:ceph_t:s0 key=(null)
Hash: fn_anonymous,ceph_t,var_run_t,file,read
Deploying Ceph Jewel on CentOS7 using:
buildlogs.centos.org/centos/7/storage/x86_64/ceph-jewel/
ceph-common-10.2.2-0.el7.x86_64
ceph-selinux-10.2.2-0.el7.x86_64
ceph-10.2.2-0.el7.x86_64
ceph-osd-10.2.2-0.el7.x86_64
Updated by Boris Ranto almost 8 years ago
This happens because we use a default location for blkid cache (src/common/blkdev.cc):
205 if (blkid_get_cache(&cache, NULL) >= 0)
We should probably use a different location which we have already labelled properly for this.
Updated by Josh Durgin almost 7 years ago
- Status changed from New to Need More Info
- Assignee set to Boris Ranto
Boris, is this still an issue?
Updated by Boris Ranto almost 7 years ago
The code is still there. We already allow write on other caps on var_run_t so adding read does not seem like too much of an issue.
I have created a PR to add it:
Updated by Boris Ranto almost 7 years ago
- Status changed from Need More Info to In Progress
Updated by Sage Weil almost 7 years ago
- Status changed from In Progress to Resolved
Actions