Actions
Bug #24220
openluminous: selinux denials from ceph-osd and ms_dispatch/httpd
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
SELinux denials found on ubuntu@mira010.front.sepia.ceph.com: ['type=AVC msg=audit(1526710874.341:4595): avc: denied { read } for pid=28874 comm="ceph-osd" name="block" dev="tmpfs" ino=86114 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1526710887.149:4653): avc: denied { read } for pid=29419 comm="ceph-osd" name="block" dev="tmpfs" ino=88412 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1526710874.428:4596): avc: denied { read } for pid=28874 comm="ceph-osd" name="/" dev="tmpfs" ino=84878 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir', 'type=AVC msg=audit(1526710887.214:4654): avc: denied { read } for pid=29419 comm="ceph-osd" name="/" dev="tmpfs" ino=85608 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir']
SELinux denials found on ubuntu@mira118.front.sepia.ceph.com: ['type=AVC msg=audit(1526719133.356:4306): avc: denied { search } for pid=27635 comm="ms_dispatch" name="httpd" dev="sda1" ino=5904 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir']
Updated by Vasu Kulkarni almost 6 years ago
@Kefu Chai, I think you were looking for way to recreate httpd denial issue, it looks to be reproducible on atleast one of the config in ceph-deploy
Updated by Brad Hubbard about 4 years ago
- Subject changed from luminous: selinux denails from ceph-osd and ms_dispatch/httpd to luminous: selinux denials from ceph-osd and ms_dispatch/httpd
Updated by Brad Hubbard about 4 years ago
There appear to be two problems here and I am only seeing the second in my runs.
This is a possible solution which works in my testing.
diff --git a/selinux/ceph.te b/selinux/ceph.te
index a56eb6a55ab..34a5ae3d2a3 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -7,6 +7,7 @@ require {
type urandom_device_t;
type setfiles_t;
type nvme_device_t;
+ type httpd_config_t;
class sock_file unlink;
class lnk_file read;
class dir read;
@@ -117,6 +118,8 @@ allow ceph_t self:process setpgid;
allow ceph_t var_run_t:dir { write create add_name };
allow ceph_t var_run_t:file { read write create open getattr };
+allow ceph_t httpd_config_t:dir search;
+
fsadm_manage_pid(ceph_t)
#============= setfiles_t ==============
Let me know if you'd like me to create PRs for this patch.
Updated by Brad Hubbard about 4 years ago
SELinux is preventing /usr/bin/ceph-mgr from search access on the directory httpd.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that ceph-mgr should be allowed search access on the httpd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ceph-mgr' --raw | audit2allow -M my-cephmgr
# semodule -i my-cephmgr.pp
Additional Information:
Source Context system_u:system_r:ceph_t:s0
Target Context system_u:object_r:httpd_config_t:s0
Target Objects httpd [ dir ]
Source ceph-mgr
Source Path /usr/bin/ceph-mgr
Port <Unknown>
Host <Unknown>
Source RPM Packages ceph-mgr-14.2.7-437.geae77db.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-252.el7_7.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name smithi093
Platform Linux smithi093 3.10.0-1062.12.1.el7.x86_64 #1 SMP
Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-02-10 03:15:07 UTC
Last Seen 2020-02-10 03:15:07 UTC
Local ID 2d39378a-4d3e-4733-aae2-a850a715f03c
Raw Audit Messages
type=AVC msg=audit(1581304507.733:6186): avc: denied { search } for pid=10709 comm="ceph-mgr" name="httpd" dev="sda1" ino=8790 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1581304507.733:6186): arch=x86_64 syscall=stat success=no exit=ENOENT a0=55f44cc957a0 a1=7fffe79dd0d0 a2=7fffe79dd0d0 a3=0 items=0 ppid=1 pid=10709 auid=4294967295 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=1
67 sgid=167 fsgid=167 tty=(none) ses=4294967295 comm=ceph-mgr exe=/usr/bin/ceph-mgr subj=system_u:system_r:ceph_t:s0 key=(null)
Hash: ceph-mgr,ceph_t,httpd_config_t,dir,search
Updated by Brad Hubbard about 4 years ago
- Has duplicate Bug #44216: Nautilus: selinux denials SELinuxError for ceph_mgr on httpd added
Updated by Brad Hubbard about 4 years ago
- Has duplicate deleted (Bug #44216: Nautilus: selinux denials SELinuxError for ceph_mgr on httpd)
Updated by Brad Hubbard about 4 years ago
- Related to Bug #44216: Nautilus: selinux denials SELinuxError for ceph_mgr on httpd added
Actions