Actions
Bug #40412
openos/bluestore: osd_memory_target_cgroup_limit_ratio won't work with SELinux
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
When running in SELinux-enabled environment ceph-osd violates access policy because of reading the memory limits via cgroupfs:
type=AVC msg=audit(1559833707.366:1563): avc: denied { search } for pid=22626 comm="ceph-osd" name="/" dev="tmpfs" ino=11449 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1559833707.366:1563): avc: denied { read } for pid=22626 comm="ceph-osd" name="memory.limit_in_bytes" dev="cgroup" ino=10 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 type=AVC msg=audit(1559833707.366:1563): avc: denied { open } for pid=22626 comm="ceph-osd" path="/sys/fs/cgroup/memory/memory.limit_in_bytes" dev="cgroup" ino=10 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 ... type=AVC msg=audit(1559833707.366:1564): avc: denied { getattr } for pid=22626 comm="ceph-osd" path="/sys/fs/cgroup/memory/memory.limit_in_bytes" dev="cgroup" ino=10 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
These audit logs were emitted because of a call to `get_cgroup_memory_limit()`. At the moment `BlueStore::_set_cache_sizes()` is its exclusive client.
Actions