Project

General

Profile

Actions
Copy link

Bug #64616

open

selinux denials with centos9.stream

Added by Venky Shankar 2 months ago. Updated about 2 months ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
Venky Shankar
Category:
Testing
Target version:
Ceph - v20.0.0
% Done:

0%

Source:
Tags:
backport_processed
Backport:
quincy,reef,squid
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
fs
Component(FS):
Labels (FS):
qa, qa-failure
Pull request ID:
55908
Crash signature (v1):
Crash signature (v2):

Description

/a/vshankar-2024-02-26_10:07:12-fs-wip-vshankar-testing-20240226.064629-testing-default-smithi/7573529

SELinux denials found on ubuntu@smithi027.front.sepia.ceph.com: ['type=AVC msg=audit(1708943195.213:199): avc: denied { checkpoint_restore } for pid=1208 comm="agetty" capability=40 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=capability2 permissive=1']

This shows up with fs suite using the testing kernel. The denial is `checkpoint_restore' which I believe is related to checkpointing and restoring a container. We might need to add this to ignorelist in the selinux teuthology task.

Related issues 3 (3 open0 closed)

Copied to CephFS - Backport #64755: squid: selinux denials with centos9.streamIn ProgressVenky ShankarActions
Copied to CephFS - Backport #64756: reef: selinux denials with centos9.streamIn ProgressVenky ShankarActions
Copied to CephFS - Backport #64757: quincy: selinux denials with centos9.streamIn ProgressVenky ShankarActions
Actions
Copy link
 #1

Updated by Venky Shankar 2 months ago

Patrick, I saw you working around with selinux denials in qa/suites/fs/workload/tasks/5-workunit/postgres.yaml, however, the denials in this tracker is related to container checkpoint_restore, so I guess this needs to be ignorelisted. Would you agree?

Actions
Copy link
 #2

Updated by Patrick Donnelly 2 months ago

Venky Shankar wrote:

Patrick, I saw you working around with selinux denials in qa/suites/fs/workload/tasks/5-workunit/postgres.yaml, however, the denials in this tracker is related to container checkpoint_restore, so I guess this needs to be ignorelisted. Would you agree?

Yes : /

You can make a ceph-side change like:

https://github.com/ceph/ceph/blob/main/qa/distros/all/centos_8.1.yaml

Actions
Copy link
 #3

Updated by Venky Shankar 2 months ago

  • Project changed from teuthology to 16
  • Assignee changed from adam kraitman to Venky Shankar
Actions
Copy link
 #4

Updated by Dan Mick 2 months ago

I bet you didn't mean to change the project to Calamari, which is long-dead

Actions
Copy link
 #5

Updated by Venky Shankar 2 months ago

  • Project changed from 16 to CephFS

Dan Mick wrote:

I bet you didn't mean to change the project to Calamari, which is long-dead

Oh god. I meant to choose CephFS - fat finger bug.

Actions
Copy link
 #6

Updated by Venky Shankar about 2 months ago

  • Status changed from New to Fix Under Review
  • Pull request ID set to 55908
Actions
Copy link
 #7

Updated by Venky Shankar about 2 months ago

  • Category set to Testing
  • Status changed from Fix Under Review to Pending Backport
  • Target version set to v20.0.0
  • Backport set to quincy,reef,squid
  • Labels (FS) qa, qa-failure added
Actions
Copy link
 #8

Updated by Backport Bot about 2 months ago

  • Copied to Backport #64755: squid: selinux denials with centos9.stream added
Actions
Copy link
 #9

Updated by Backport Bot about 2 months ago

  • Copied to Backport #64756: reef: selinux denials with centos9.stream added
Actions
Copy link
 #10

Updated by Backport Bot about 2 months ago

  • Copied to Backport #64757: quincy: selinux denials with centos9.stream added
Actions
Copy link
 #11

Updated by Backport Bot about 2 months ago

  • Tags set to backport_processed
Actions
Copy link

Also available in: Atom PDF