Bug #19254
selinux failures accessing 'psched' from ceph daemons
0%
Description
We seem to mostly be seeing this on ceph-mds processes, but it has also been seen on ceph-mon.
/a/jspray-2017-03-09_22:09:42-fs-wip-jcsp-testing-20170309-distro-basic-smithi899137/teuthology.log failure_reason: 'SELinux denials found on ubuntu@smithi024.front.sepia.ceph.com: [''type=AVC msg=audit(1489101204.086:3599): avc: denied { read } for pid=20354 comm="ceph-mds" name="psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file'', ''type=AVC msg=audit(1489101204.086:3599): avc: denied { open } for pid=20354 comm="ceph-mds" path="/proc/20354/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file'', ''type=AVC msg=audit(1489101204.087:3600): avc: denied { getattr } for pid=20354 comm="ceph-mds" path="/proc/20354/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file'']', flavor: basic, owner: scheduled_jspray@teuthology, status: fail, success: false}
[899610] rados/singleton/{all/mon-seesaw.yaml fs/xfs.yaml msgr-failures/few.yaml msgr/async.yaml objectstore/bluestore.yaml rados.yaml} ----------------------------------------------------------------- time: 00:07:41 info: http://pulpito.ceph.com/yuriw-2017-03-10_01:14:50-rados-wip-yuri-testing_2017_3_11-distro-basic-smithi/899610/ log: http://qa-proxy.ceph.com/teuthology/yuriw-2017-03-10_01:14:50-rados-wip-yuri-testing_2017_3_11-distro-basic-smithi/899610/ SELinux denials found on ubuntu@smithi031.front.sepia.ceph.com: ['type=AVC msg=audit(1489115404.623:3642): avc: denied { open } for pid=20482 comm ="ceph-mon" path="/proc/20482/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC
A quick search tells me that there was recently a Fedora fix to the selinux policies around this file, unclear if it's the same issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1403486
History
#1 Updated by Boris Ranto about 7 years ago
- Assignee set to Boris Ranto
It is kinda similar to the fedora bugzilla (but the fix itself won't help us). We are hitting the same issue as the iw command (tlp_t) context in fedora and we need to do the same they did -- enable these but for our (ceph_t) context. I'll prepare an upstream PR for this.
#2 Updated by Boris Ranto about 7 years ago
- Status changed from New to Fix Under Review
Upstream PR:
#3 Updated by Kefu Chai about 7 years ago
- Status changed from Fix Under Review to Resolved
as /proc/net/psched is read by libnl, which is used by libibverbs, and libibverbs is in turn required by RDMA.
RDMA in async messenger was enabled in https://github.com/ceph/ceph/pull/13901, which was merged recently.