Project

General

Profile

Bug #20184

SELinux denials (the files in /var/log/ceph get mislabeled)

Added by Yuri Weinstein 6 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
-
Target version:
-
Start date:
06/05/2017
Due date:
% Done:

0%

Source:
Q/A
Tags:
Backport:
kraken, jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Release:
Needs Doc:
No

Description

Run: http://pulpito.ceph.com/yuriw-2017-06-03_15:35:34-rados-wip-yuri-testing_2017_7_4---basic-smithi/
Logs: http://qa-proxy.ceph.com/teuthology/yuriw-2017-06-03_15:35:34-rados-wip-yuri-testing_2017_7_4---basic-smithi/1259202/teuthology.log

SELinuxError: SELinux denials found on ubuntu@smithi139.front.sepia.ceph.com: ['type=AVC msg=audit(1496504537.958:52827): avc:  denied  { open } for  pid=242759 comm="ceph-mon" path="/var/log/ceph/ceph-mon.smithi139.log" dev="sda1" ino=7080364 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file', 'type=AVC msg=audit(1496504527.770:52792): avc:  denied  { create } for  pid=242598 comm="ceph-mon" name="ceph-mon.smithi139.log" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file', 'type=AVC msg=audit(1496504527.770:52792): avc:  denied  { write } for  pid=242598 comm="ceph-mon" name="ceph" dev="sda1" ino=7080331 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir', 'type=AVC msg=audit(1496504527.770:52792): avc:  denied  { open } for  pid=242598 comm="ceph-mon" path="/var/log/ceph/ceph-mon.smithi139.log" dev="sda1" ino=7080364 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file', 'type=AVC msg=audit(1496504527.770:52792): avc:  denied  { add_name } for  pid=242598 comm="ceph-mon" name="ceph-mon.smithi139.log" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir']
2017-06-03T15:52:59.760 DEBUG:teuthology.run_tasks:Unwinding manager pcp


Related issues

Copied to Ceph - Backport #20191: kraken: SELinux denials (the files in /var/log/ceph get mislabeled) Resolved
Copied to Ceph - Backport #20192: jewel: SELinux denials (the files in /var/log/ceph get mislabeled) Resolved

History

#1 Updated by Boris Ranto 6 months ago

  • Status changed from New to Need Review
  • Assignee set to Boris Ranto
  • Backport set to kraken, jewel

#2 Updated by Boris Ranto 6 months ago

This happened because the ceph-base was only required for runtime (not %post) and we were using ceph-disk from ceph-base to relabel. That randomly failed because the order of the installation of these two packages was random.

#4 Updated by Boris Ranto 6 months ago

  • Status changed from Need Review to Pending Backport

#5 Updated by Nathan Cutler 6 months ago

  • Copied to Backport #20191: kraken: SELinux denials (the files in /var/log/ceph get mislabeled) added

#6 Updated by Nathan Cutler 6 months ago

  • Copied to Backport #20192: jewel: SELinux denials (the files in /var/log/ceph get mislabeled) added

#7 Updated by Nathan Cutler 3 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF