Bug #22108
closed"SELinux denials found" in powercycle-luminous-distro-basic-smithi
0%
Description
This is luminous v12.2.2 point release
Run: http://pulpito.ceph.com/yuriw-2017-11-10_17:15:33-powercycle-luminous-distro-basic-smithi/
Job: 1835351
Logs: http://qa-proxy.ceph.com/teuthology/yuriw-2017-11-10_17:15:33-powercycle-luminous-distro-basic-smithi/1835351/teuthology.log
2017-11-10T17:54:40.520 INFO:teuthology.orchestra.run.smithi018:Running: 'mkdir /home/ubuntu/cephtest/archive/audit && sudo cp /var/log/audit/audit.log /home/ubuntu/cephtest/archive/audit && sudo chown $USER /home/ubuntu/cephtest/archive/audit/audit.log && gzip /home/ubuntu/cephtest/archive/audit/audit.log'
2017-11-10T17:54:40.751 INFO:teuthology.orchestra.run.smithi018:Running: 'sudo grep \'avc: .*denied\' /var/log/audit/audit.log | grep -v \'\\(comm="dmidecode"\\|chronyd.service\\|name="cephtest"\\|scontext=system_u:system_r:nrpe_t:s0\\|scontext=system_u:system_r:pcp_pmlogger_t\\|scontext=system_u:system_r:pcp_pmcd_t:s0\\)\''
2017-11-10T17:54:40.838 INFO:teuthology.orchestra.run.smithi018.stdout:type=AVC msg=audit(1510335810.963:8172): avc: denied { mac_admin } for pid=1 comm="systemd" capability=33 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2
2017-11-10T17:54:40.839 DEBUG:teuthology.task.selinux:ubuntu@smithi018.front.sepia.ceph.com has 1 denials
2017-11-10T17:54:40.839 ERROR:teuthology.run_tasks:Manager failed: selinux
Traceback (most recent call last):
File "/home/teuthworker/src/git.ceph.com_git_teuthology_master/teuthology/run_tasks.py", line 159, in run_tasks
suppress = manager.__exit__(*exc_info)
File "/home/teuthworker/src/git.ceph.com_git_teuthology_master/teuthology/task/__init__.py", line 134, in __exit__
self.teardown()
File "/home/teuthworker/src/git.ceph.com_git_teuthology_master/teuthology/task/selinux.py", line 142, in teardown
self.get_new_denials()
File "/home/teuthworker/src/git.ceph.com_git_teuthology_master/teuthology/task/selinux.py", line 190, in get_new_denials
denials=new_denials[remote.name])
SELinuxError: SELinux denials found on ubuntu@smithi018.front.sepia.ceph.com: ['type=AVC msg=audit(1510335810.963:8172): avc: denied { mac_admin } for pid=1 comm="systemd" capability=33 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2']
Updated by Vasu Kulkarni over 6 years ago
- Assignee set to Boris Ranto
This is coming from systemd which can be ignore
Updated by Greg Farnum over 6 years ago
- Status changed from New to Triaged
Can we fix it if it's coming from systemd? By assigning to Boris I assume it means our packages are somehow wrong? Or do we just need to add a test exclusion from something that's broken upstream of us.
Updated by Boris Ranto over 6 years ago
Ok, so mac_admin means that systemd is trying to place a label on the system that the kernel does not understand. That suggests an incompatibility between systemd and the kernel that is running on the system. In any case, it does not look like something we can/should fix in our ceph policy.
[EDIT] If these are both distro kernel and systemd, are you running the latest available kernel for the distro?
Updated by Boris Ranto almost 6 years ago
- Status changed from Triaged to Closed
This was not a Ceph bug, it was probably caused by non-standard kernel, if it was not it is not something we should fix in our policy.