Bug #16678
closed
selinux polocy related errors in syslog during ceph-selinux package install
Added by Russell Islam almost 8 years ago.
Updated over 7 years ago.
Description
I got the following error while installing ceph-selinux.
kernel: SELinux: Permission audit_read in class capability2 not defined in
policy.
kernel: SELinux: Class binder not defined in policy.
kernel: SELinux: the above unknown classes and permissions will be allowed
command to reproduce the error:
/usr/sbin/semodule -i /usr/share/selinux/packages/ceph.pp
Then check the output in syslog.
Info:
These are object classes and av permissions that were introduced in the
newer kernel, but ceph-selinux policy is for the older kernel and thus does
not know these new object classes and av permissions. So they will just be
ignored (allowed). So other than a few warnings it really does not
affect anything or change the behavior of the policy I believe.
But we could just get rid of this warnings.
The issue is in later kernel i.e in may case 4.1.12.
Not reproducible in 3.8 or 3.10 kernel.
- Target version deleted (
519)
- Assignee set to Boris Ranto
I could use some more details on this. What distro are you using? It seems unlikely that a certain release of a distro would switch the kernel version this much.
We can't really do much about custom kernels as the SELinux definitions are inside the kernel itself. We would probably have to recompile the ceph SELinux policy with recent enough SELinux tools to make this go away. This would probably mean it wouldn't work in the older kernels, though.
Anyway, this is just s warning, the policy will behave the same way in the new kernel as it does in the old one.
I am using Oracle linux 7.2 which is based on RHEL 7.2. And has the same RHCK kernel.
Well, you said the kernels 3.8/3.10 which are probably the RHCK ones work fine. I doubt the 4.1.2 where the warnings occur is a RHCK.
Can you recompile the SELinux policy to see if it makes the warnings go away by running
make -f /usr/share/selinux/devel/Makefile ceph.pp
in the selinux directory of the ceph git repository and then installing the newly created file manually with the semodule command?
Tried your approach and yet got the error "Class binder not defined in policy.".
OK, I did a bit more research on the topic and I believe this is a bug in OEL, not ceph. We do manifest it only because we manipulate with the internal policy rules (i.e. install new ceph rules). In fact, any newly (re-)installed SELinux module will present this behaviour. It occurs because the base SELinux policy does not provide the definitions for these types that are defined in the later kernel.
You can verify that this is not just our problem by reinstalling for instance the selinux-policy-targeted package (that will do its own SELinux module install and populate the syslog with the same messages).
Thanks for the update. I totally agree with you.
- Status changed from New to Closed
Closing as per Comment #7 and #8.
Also available in: Atom
PDF