Project

General

Profile

Bug #19254

selinux failures accessing 'psched' from ceph daemons

Added by John Spray 5 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
03/10/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Release:
Needs Doc:
No

Description

We seem to mostly be seeing this on ceph-mds processes, but it has also been seen on ceph-mon.

/a/jspray-2017-03-09_22:09:42-fs-wip-jcsp-testing-20170309-distro-basic-smithi899137/teuthology.log
failure_reason: 'SELinux denials
    found on ubuntu@smithi024.front.sepia.ceph.com: [''type=AVC msg=audit(1489101204.086:3599):
    avc:  denied  { read } for  pid=20354 comm="ceph-mds" name="psched" dev="proc" 
    ino=4026531987 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_net_t:s0
    tclass=file'', ''type=AVC msg=audit(1489101204.086:3599): avc:  denied  { open
    } for  pid=20354 comm="ceph-mds" path="/proc/20354/net/psched" dev="proc" ino=4026531987
    scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_net_t:s0
    tclass=file'', ''type=AVC msg=audit(1489101204.087:3600): avc:  denied  { getattr
    } for  pid=20354 comm="ceph-mds" path="/proc/20354/net/psched" dev="proc" ino=4026531987
    scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_net_t:s0
    tclass=file'']', flavor: basic, owner: scheduled_jspray@teuthology, status: fail,
  success: false}
[899610]  rados/singleton/{all/mon-seesaw.yaml fs/xfs.yaml msgr-failures/few.yaml msgr/async.yaml objectstore/bluestore.yaml rados.yaml}
-----------------------------------------------------------------
time:   00:07:41
info:   http://pulpito.ceph.com/yuriw-2017-03-10_01:14:50-rados-wip-yuri-testing_2017_3_11-distro-basic-smithi/899610/
log:    http://qa-proxy.ceph.com/teuthology/yuriw-2017-03-10_01:14:50-rados-wip-yuri-testing_2017_3_11-distro-basic-smithi/899610/

    SELinux denials found on ubuntu@smithi031.front.sepia.ceph.com: ['type=AVC
    msg=audit(1489115404.623:3642): avc:  denied  { open } for  pid=20482 comm
    ="ceph-mon" path="/proc/20482/net/psched" dev="proc" ino=4026531987
    scontext=system_u:system_r:ceph_t:s0
    tcontext=system_u:object_r:proc_net_t:s0 tclass=file', 'type=AVC

A quick search tells me that there was recently a Fedora fix to the selinux policies around this file, unclear if it's the same issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1403486

History

#1 Updated by Boris Ranto 5 months ago

  • Assignee set to Boris Ranto

It is kinda similar to the fedora bugzilla (but the fix itself won't help us). We are hitting the same issue as the iw command (tlp_t) context in fedora and we need to do the same they did -- enable these but for our (ceph_t) context. I'll prepare an upstream PR for this.

#2 Updated by Boris Ranto 5 months ago

  • Status changed from New to Need Review

#3 Updated by Kefu Chai 4 months ago

  • Status changed from Need Review to Resolved

as /proc/net/psched is read by libnl, which is used by libibverbs, and libibverbs is in turn required by RDMA.

RDMA in async messenger was enabled in https://github.com/ceph/ceph/pull/13901, which was merged recently.

Also available in: Atom PDF