Bug #16678
closedselinux polocy related errors in syslog during ceph-selinux package install
0%
Description
I got the following error while installing ceph-selinux.
kernel: SELinux: Permission audit_read in class capability2 not defined in
policy.
kernel: SELinux: Class binder not defined in policy.
kernel: SELinux: the above unknown classes and permissions will be allowed
command to reproduce the error:
/usr/sbin/semodule -i /usr/share/selinux/packages/ceph.pp
Then check the output in syslog.
Info:
These are object classes and av permissions that were introduced in the
newer kernel, but ceph-selinux policy is for the older kernel and thus does
not know these new object classes and av permissions. So they will just be
ignored (allowed). So other than a few warnings it really does not
affect anything or change the behavior of the policy I believe.
But we could just get rid of this warnings.
The issue is in later kernel i.e in may case 4.1.12.
Not reproducible in 3.8 or 3.10 kernel.
Updated by Boris Ranto over 7 years ago
I could use some more details on this. What distro are you using? It seems unlikely that a certain release of a distro would switch the kernel version this much.
We can't really do much about custom kernels as the SELinux definitions are inside the kernel itself. We would probably have to recompile the ceph SELinux policy with recent enough SELinux tools to make this go away. This would probably mean it wouldn't work in the older kernels, though.
Anyway, this is just s warning, the policy will behave the same way in the new kernel as it does in the old one.
Updated by Russell Islam over 7 years ago
I am using Oracle linux 7.2 which is based on RHEL 7.2. And has the same RHCK kernel.
Updated by Boris Ranto over 7 years ago
Well, you said the kernels 3.8/3.10 which are probably the RHCK ones work fine. I doubt the 4.1.2 where the warnings occur is a RHCK.
Can you recompile the SELinux policy to see if it makes the warnings go away by running
make -f /usr/share/selinux/devel/Makefile ceph.pp
in the selinux directory of the ceph git repository and then installing the newly created file manually with the semodule command?
Updated by Russell Islam over 7 years ago
Tried your approach and yet got the error "Class binder not defined in policy.".
Updated by Boris Ranto over 7 years ago
OK, I did a bit more research on the topic and I believe this is a bug in OEL, not ceph. We do manifest it only because we manipulate with the internal policy rules (i.e. install new ceph rules). In fact, any newly (re-)installed SELinux module will present this behaviour. It occurs because the base SELinux policy does not provide the definitions for these types that are defined in the later kernel.
You can verify that this is not just our problem by reinstalling for instance the selinux-policy-targeted package (that will do its own SELinux module install and populate the syslog with the same messages).
Updated by Russell Islam over 7 years ago
Thanks for the update. I totally agree with you.
Updated by Boris Ranto over 7 years ago
- Status changed from New to Closed