Project

General

Profile

Bug #19254

selinux failures accessing 'psched' from ceph daemons

Added by John Spray about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

We seem to mostly be seeing this on ceph-mds processes, but it has also been seen on ceph-mon.

/a/jspray-2017-03-09_22:09:42-fs-wip-jcsp-testing-20170309-distro-basic-smithi899137/teuthology.log
failure_reason: 'SELinux denials
    found on ubuntu@smithi024.front.sepia.ceph.com: [''type=AVC msg=audit(1489101204.086:3599):
    avc:  denied  { read } for  pid=20354 comm="ceph-mds" name="psched" dev="proc" 
    ino=4026531987 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_net_t:s0
    tclass=file'', ''type=AVC msg=audit(1489101204.086:3599): avc:  denied  { open
    } for  pid=20354 comm="ceph-mds" path="/proc/20354/net/psched" dev="proc" ino=4026531987
    scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_net_t:s0
    tclass=file'', ''type=AVC msg=audit(1489101204.087:3600): avc:  denied  { getattr
    } for  pid=20354 comm="ceph-mds" path="/proc/20354/net/psched" dev="proc" ino=4026531987
    scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_net_t:s0
    tclass=file'']', flavor: basic, owner: scheduled_jspray@teuthology, status: fail,
  success: false}
[899610]  rados/singleton/{all/mon-seesaw.yaml fs/xfs.yaml msgr-failures/few.yaml msgr/async.yaml objectstore/bluestore.yaml rados.yaml}
-----------------------------------------------------------------
time:   00:07:41
info:   http://pulpito.ceph.com/yuriw-2017-03-10_01:14:50-rados-wip-yuri-testing_2017_3_11-distro-basic-smithi/899610/
log:    http://qa-proxy.ceph.com/teuthology/yuriw-2017-03-10_01:14:50-rados-wip-yuri-testing_2017_3_11-distro-basic-smithi/899610/

    SELinux denials found on ubuntu@smithi031.front.sepia.ceph.com: ['type=AVC
    msg=audit(1489115404.623:3642): avc:  denied  { open } for  pid=20482 comm
    ="ceph-mon" path="/proc/20482/net/psched" dev="proc" ino=4026531987
    scontext=system_u:system_r:ceph_t:s0
    tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC

A quick search tells me that there was recently a Fedora fix to the selinux policies around this file, unclear if it's the same issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1403486

History

#1 Updated by Boris Ranto about 7 years ago

  • Assignee set to Boris Ranto

It is kinda similar to the fedora bugzilla (but the fix itself won't help us). We are hitting the same issue as the iw command (tlp_t) context in fedora and we need to do the same they did -- enable these but for our (ceph_t) context. I'll prepare an upstream PR for this.

#2 Updated by Boris Ranto about 7 years ago

  • Status changed from New to Fix Under Review

#3 Updated by Kefu Chai about 7 years ago

  • Status changed from Fix Under Review to Resolved

as /proc/net/psched is read by libnl, which is used by libibverbs, and libibverbs is in turn required by RDMA.

RDMA in async messenger was enabled in https://github.com/ceph/ceph/pull/13901, which was merged recently.

Also available in: Atom PDF