Bug #43064
closed"SELinux denials found" in ceph-deploy
Added by Yuri Weinstein over 4 years ago. Updated about 4 years ago.
0%
Description
Run: http://pulpito.ceph.com/teuthology-2019-11-29_05:55:03-ceph-deploy-nautilus-distro-basic-mira/
Jobs: ['4552133', '4552149', '4552153', '4552141', '4552137', '4552167', '4552159', '4552183', '4552125', '4552187', '4552175', '4552163']
Logs: http://qa-proxy.ceph.com/teuthology/teuthology-2019-11-29_05:55:03-ceph-deploy-nautilus-distro-basic-mira/4552125/teuthology.log
Failure: SELinux denials found on ubuntu@mira082.front.sepia.ceph.com: ['type=AVC msg=audit(1575016718.338:5935): avc: denied { read } for pid=4567 comm="fn_anonymous" name="b8:16" dev="tmpfs" ino=108139 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016718.338:5936): avc: denied { getattr } for pid=4567 comm="fn_anonymous" path="/run/udev/data/b8:16" dev="tmpfs" ino=108139 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016718.338:5935): avc: denied { open } for pid=4567 comm="fn_anonymous" path="/run/udev/data/b8:16" dev="tmpfs" ino=108139 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016733.611:5994): avc: denied { open } for pid=5200 comm="fn_anonymous" path="/run/udev/data/b8:48" dev="tmpfs" ino=109258 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016677.777:5674): avc: denied { getattr } for pid=3222 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016662.253:5617): avc: denied { getattr } for pid=3222 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016733.611:5994): avc: denied { read } for pid=5200 comm="fn_anonymous" name="b8:48" dev="tmpfs" ino=109258 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016733.611:5995): avc: denied { getattr } for pid=5200 comm="fn_anonymous" path="/run/udev/data/b8:48" dev="tmpfs" ino=109258 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1']
Updated by Yuri Weinstein over 4 years ago
Updated by Kefu Chai over 4 years ago
- Status changed from New to Pending Backport
- Backport set to mimic,nautilus
- Pull request ID set to 29071
Updated by Nathan Cutler over 4 years ago
- Copied to Backport #43243: nautilus: "SELinux denials found" in ceph-deploy added
Updated by Nathan Cutler over 4 years ago
- Copied to Backport #43244: mimic: "SELinux denials found" in ceph-deploy added
Updated by Brad Hubbard over 4 years ago
With this patch I still see the following selinux denial which appears to be an access to /proc and a separate issue.
avc: denied { getattr } for pid=3222 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1
and
avc: denied { setsched } for pid=14582 comm="fn_anonymous" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
Updated by Brad Hubbard over 4 years ago
- Related to Bug #40743: "SELinux denials found" in ceph-deploy/nautilus added
Updated by Brad Hubbard over 4 years ago
Looks like the setsched issue might be new. Let me know if we need a new tracker for that one.
Updated by Brad Hubbard about 4 years ago
Created a new tracker for the setsched denial, https://tracker.ceph.com/issues/44196
Updated by Brad Hubbard about 4 years ago
SELinux is preventing /usr/bin/ceph-mon from getattr access on the file /proc/kcore. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ceph-mon should be allowed getattr access on the kcore file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ms_dispatch' --raw | audit2allow -M my-msdispatch # semodule -i my-msdispatch.pp Additional Information: Source Context system_u:system_r:ceph_t:s0 Target Context system_u:object_r:proc_kcore_t:s0 Target Objects /proc/kcore [ file ] Source ms_dispatch Source Path /usr/bin/ceph-mon Port <Unknown> Host <Unknown> Source RPM Packages ceph-mon-14.2.7-763.g97ce2bd.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-252.el7_7.6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name mira030 Platform Linux mira030 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-02-25 02:03:31 UTC Last Seen 2020-02-25 02:31:29 UTC Local ID 7b45da16-f331-412b-aa28-0dfc19d4b90d Raw Audit Messages type=AVC msg=audit(1582597889.957:6365): avc: denied { getattr } for pid=57228 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=fil$ permissive=1 type=SYSCALL msg=audit(1582597889.957:6365): arch=x86_64 syscall=newfstatat success=yes exit=0 a0=26 a1=562e172b80eb a2=7fe6f5fe5880 a3=0 items=0 ppid=1 pid=57228 auid=4294967295 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=167 sgid$ 167 fsgid=167 tty=(none) ses=4294967295 comm=ms_dispatch exe=/usr/bin/ceph-mon subj=system_u:system_r:ceph_t:s0 key=(null) Hash: ms_dispatch,ceph_t,proc_kcore_t,file,getattr
# ausearch -i -c ms_dispatch|tail -3 type=PROCTITLE msg=audit(25/02/20 02:31:29.957:6365) : proctitle=/usr/bin/ceph-mon -f --cluster ceph --id mira030 --setuser ceph --setgroup ceph type=SYSCALL msg=audit(25/02/20 02:31:29.957:6365) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x26 a1=0x562e172b80eb a2=0x7fe6f5fe5880 a3=0x0 items=0 ppid=1 pid=57228 auid=unset uid=ceph gid=ceph euid=ceph suid=ceph fsuid=ceph egid=ceph sgid=ceph fsgid=ceph tty=(none) ses=unset comm=ms_dispatch exe=/usr/bin/ceph-mon subj=system_u:system_r:ceph_t:s0 key=(null) type=AVC msg=audit(25/02/20 02:31:29.957:6365) : avc: denied { getattr } for pid=57228 comm=ms_dispatch path=/proc/kcore dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1
Looking for that timestamp in the mon log.
# grep 02:31:29.95 /var/log/ceph/ceph-mon.mira030.log 2020-02-25 02:31:29.954 7fe6f5fec700 0 log_channel(cluster) log [INF] : mon.mira030 calling monitor election 2020-02-25 02:31:29.954 7fe6f5fec700 1 mon.mira030@0(electing).elector(4) init, last seen epoch 4 2020-02-25 02:31:29.958 7fe6f5fec700 -1 mon.mira030@0(electing) e1 failed to get devid for : udev_device_new_from_subsystem_sysname failed on ''
(gdb) t [Current thread is 37 (Thread 0x7fffe0091700 (LWP 60388))] (gdb) info thread 37 Id Target Id Frame * 37 Thread 0x7fffe0091700 (LWP 60388) "ms_dispatch" __GI___fxstat (vers=vers@entry=1, fd=41, buf=buf@entry=0x7fffe008a910) at ../sysdeps/unix/sysv/linux/wordsize-64/fxstat.c:40 (gdb) bt #0 __GI___fxstat (vers=vers@entry=1, fd=41, buf=buf@entry=0x7fffe008a910) at ../sysdeps/unix/sysv/linux/wordsize-64/fxstat.c:40 #1 0x00007fffef353db3 in fstat (__statbuf=0x7fffe008a910, __fd=<optimized out>) at /usr/include/sys/stat.h:470 #2 BlkDev::get_devid (this=<optimized out>, id=0x7fffe008b9d0) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/blkdev.cc:94 #3 0x00007fffef354336 in BlkDev::partition (this=this@entry=0x7fffe008ba00, partition=partition@entry=0x7fffe008ca60 "\320\066\366UUU", max=max@entry=4096) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/blkdev.cc:269 #4 0x00007fffef3543e4 in get_device_by_path(char const*, char*, char*, unsigned long) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/blkdev.cc:52 #5 0x00005555557e953c in MonitorDBStore::get_devname (this=<optimized out>) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/MonitorDBStore.h:55 #6 0x00005555557a2e1d in Monitor::collect_metadata(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > >*) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Monitor.cc:2287 #7 0x000055555584272f in Elector::start() () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Elector.cc:100 #8 0x00005555557b26b8 in call_election (this=0x5555575f8d28) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Elector.h:388 #9 Monitor::start_election() () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Monitor.cc:2097 #10 0x00005555557b6bd8 in Monitor::handle_probe_reply(boost::intrusive_ptr<MonOpRequest>) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Monitor.cc:2066 #11 0x00005555557b889f in Monitor::handle_probe(boost::intrusive_ptr<MonOpRequest>) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/TrackedOp.h:388 #12 0x00005555557ce379 in Monitor::dispatch_op(boost::intrusive_ptr<MonOpRequest>) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/TrackedOp.h:388 #13 0x00005555557cf37f in Monitor::_ms_dispatch(Message*) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/TrackedOp.h:388 #14 0x00005555557fc356 in Monitor::ms_dispatch (this=0x5555575f8000, m=0x555557826780) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Monitor.h:888 #15 0x00005555557f8946 in Dispatcher::ms_dispatch2 (this=0x5555575f8000, m=...) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/msg/Dispatcher.h:126 #16 0x00007fffef472b39 in ms_deliver_dispatch (m=..., this=0x55555680a900) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/msg/DispatchQueue.cc:198 #17 DispatchQueue::entry() () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/msg/DispatchQueue.cc:197 #18 0x00007fffef51fcdd in DispatchQueue::DispatchThread::entry (this=<optimized out>) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/msg/DispatchQueue.h:102 #19 0x00007fffec04edd5 in start_thread (arg=0x7fffe0091700) at pthread_create.c:307 #20 0x00007fffeaf1502d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
That means we are here.
84 init(); <--------- NOTE, just called init() which produces "init, last seen epoch 4" log output 85 86 // start by trying to elect me 87 if (epoch % 2 == 0) { 88 bump_epoch(epoch+1); // odd == election cycle 89 } else { 90 // do a trivial db write just to ensure it is writeable. (gdb) 91 auto t(std::make_shared<MonitorDBStore::Transaction>()); 92 t->put(Monitor::MONITOR_NAME, "election_writeable_test", rand()); 93 int r = mon->store->apply_transaction(t); 94 ceph_assert(r >= 0); 95 } 96 electing_me = true; 97 acked_me[mon->rank].cluster_features = CEPH_FEATURES_ALL; 98 acked_me[mon->rank].mon_release = ceph_release(); 99 acked_me[mon->rank].mon_features = ceph::features::mon::get_supported(); 100 mon->collect_metadata(&acked_me[mon->rank].metadata); <-------------------- HERE
89 int BlkDev::get_devid(dev_t *id) const 90 { 91 struct stat st; 92 int r; 93 if (fd >= 0) { 94 r = fstat(fd, &st); 95 } else { 96 char path[PATH_MAX]; 97 snprintf(path, sizeof(path), "/dev/%s", devname.c_str()); 98 r = stat(path, &st); 99 } 100 if (r < 0) { 101 return -errno; 102 } 103 *id = S_ISBLK(st.st_mode) ? st.st_rdev : st.st_dev; 104 return 0; 105 }
Updated by Nathan Cutler about 4 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".