Bug #64616
open
selinux denials with centos9.stream
Added by Venky Shankar 3 months ago.
Updated 2 months ago.
Backport:
quincy,reef,squid
Labels (FS):
qa, qa-failure
Description
/a/vshankar-2024-02-26_10:07:12-fs-wip-vshankar-testing-20240226.064629-testing-default-smithi/7573529
SELinux denials found on ubuntu@smithi027.front.sepia.ceph.com: ['type=AVC msg=audit(1708943195.213:199): avc: denied { checkpoint_restore } for pid=1208 comm="agetty" capability=40 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=capability2 permissive=1']
This shows up with fs suite using the testing kernel. The denial is `checkpoint_restore' which I believe is related to checkpointing and restoring a container. We might need to add this to ignorelist in the selinux teuthology task.
Related issues
3 (3 open — 0 closed)
Patrick, I saw you working around with selinux denials in qa/suites/fs/workload/tasks/5-workunit/postgres.yaml, however, the denials in this tracker is related to container checkpoint_restore, so I guess this needs to be ignorelisted. Would you agree?
Venky Shankar wrote:
Patrick, I saw you working around with selinux denials in qa/suites/fs/workload/tasks/5-workunit/postgres.yaml, however, the denials in this tracker is related to container checkpoint_restore, so I guess this needs to be ignorelisted. Would you agree?
Yes : /
You can make a ceph-side change like:
https://github.com/ceph/ceph/blob/main/qa/distros/all/centos_8.1.yaml
- Project changed from teuthology to 16
- Assignee changed from adam kraitman to Venky Shankar
I bet you didn't mean to change the project to Calamari, which is long-dead
- Project changed from 16 to CephFS
Dan Mick wrote:
I bet you didn't mean to change the project to Calamari, which is long-dead
Oh god. I meant to choose CephFS - fat finger bug.
- Status changed from New to Fix Under Review
- Pull request ID set to 55908
- Category set to Testing
- Status changed from Fix Under Review to Pending Backport
- Target version set to v20.0.0
- Backport set to quincy,reef,squid
- Labels (FS) qa, qa-failure added
- Copied to Backport #64755: squid: selinux denials with centos9.stream added
- Copied to Backport #64757: quincy: selinux denials with centos9.stream added
- Tags set to backport_processed
Also available in: Atom
PDF