Bug #14244: "SELinux denials found" in rados-jewel-distro-basic-smithi - Ceph - Ceph

Actions

Copy link

Bug #14244

closed

"SELinux denials found" in rados-jewel-distro-basic-smithi

Added by Yuri Weinstein over 8 years ago. Updated about 8 years ago.

Status:

Resolved

Priority:

Urgent

Assignee:

Category:

Target version:

% Done:

Source:

Q/A

Tags:

Backport:

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

v0.21.1

ceph-qa-suite:

rados

Pull request ID:

Crash signature (v1):

Crash signature (v2):

Description

Run: http://pulpito.ceph.com/teuthology-2016-01-02_19:00:08-rados-jewel-distro-basic-smithi/
Jobs: ['11937', '11938', '11965']
Logs: http://qa-proxy.ceph.com/teuthology/teuthology-2016-01-02_19:00:08-rados-jewel-distro-basic-smithi/11937/teuthology.log

2016-01-04T11:04:58.581 DEBUG:teuthology.task.selinux:ubuntu@smithi012.front.sepia.ceph.com has 1 denials
2016-01-04T11:04:58.582 ERROR:teuthology.run_tasks:Manager failed: selinux
Traceback (most recent call last):
  File "/home/teuthworker/src/teuthology_master/teuthology/run_tasks.py", line 125, in run_tasks
    suppress = manager.__exit__(*exc_info)
  File "/home/teuthworker/src/teuthology_master/teuthology/task/__init__.py", line 134, in __exit__
    self.teardown()
  File "/home/teuthworker/src/teuthology_master/teuthology/task/selinux.py", line 110, in teardown
    self.get_new_denials()
  File "/home/teuthworker/src/teuthology_master/teuthology/task/selinux.py", line 158, in get_new_denials
    denials=new_denials[remote.name])
SELinuxError: SELinux denials found on ubuntu@smithi012.front.sepia.ceph.com: ['type=AVC msg=audit(1451931237.151:8195): avc:  denied  { search } for  pid=30751 comm=72733A6D61696E20513A526567 name="cephtest" dev="sda1" ino=8650942 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir']

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by John Spray over 8 years ago

Priority changed from Normal to High

Also seeing this frequently in FS testing. Example:

[15110] fs/basic/{clusters/fixed-2-ucephfs.yaml debug/mds_client.yaml dirfrag/frag_enable.yaml fs/btrfs.yaml inline/no.yaml overrides/whitelist_wrongly_marked_down.yaml tasks/cfuse_workunit_kernel_untar_build.yaml}
-----------------------------------------------------------------
time: 01:09:29
info: http://pulpito.ceph.com/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15110/
log: http://qa-proxy.ceph.com/teuthology/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15110/

SELinux denials found on ubuntu@smithi006.front.sepia.ceph.com:
    ['type=USER_AVC msg=audit(1452174237.087:12584): pid=1 uid=0
    auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=\'avc:
    denied  { status } for auid=n/a uid=0 gid=0
    path="/usr/lib/systemd/system/chronyd.service" cmdline="systemctl is-active
    -q chronyd.service" scontext=system_u:system_r:chronyd_t:s0
    tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service
    exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?\'']

[15145] fs/traceless/{clusters/fixed-2-ucephfs.yaml debug/mds_client.yaml dirfrag/frag_enable.yaml fs/btrfs.yaml overrides/whitelist_wrongly_marked_down.yaml tasks/cfuse_workunit_suites_dbench.yaml traceless/50pc.yaml}
-----------------------------------------------------------------
time: 00:56:20
info: http://pulpito.ceph.com/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15145/
log: http://qa-proxy.ceph.com/teuthology/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15145/

SELinux denials found on ubuntu@smithi006.front.sepia.ceph.com:
    ['type=USER_AVC msg=audit(1452181408.897:7281): pid=1 uid=0 auid=4294967295
    ses=4294967295 subj=system_u:system_r:init_t:s0 msg=\'avc:  denied  {
    status } for auid=n/a uid=0 gid=0
    path="/usr/lib/systemd/system/chronyd.service" cmdline="systemctl is-active
    -q chronyd.service" scontext=system_u:system_r:chronyd_t:s0
    tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service
    exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?\'']

Actions

Copy link

Updated by Christina Meno over 8 years ago

Affected Versions v0.21.1 added

Looks like the issue could be resolved by requireing a new version of chrony, we've got access to it in base package repo

[ubuntu@smithi012 ~]$ lsb_release -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID:    CentOS
Description:    CentOS Linux release 7.1.1503 (Core) 
Release:    7.1.1503
Codename:    Core
[ubuntu@smithi012 ~]$ rpm -qa | grep chrony
chrony-1.29.1-1.el7.centos.x86_64
[ubuntu@smithi012 ~]$ 

=============================
[ubuntu@smithi012 ~]$ yum info chrony
Loaded plugins: fastestmirror, langpacks, priorities
base                                                                                                                                                                           | 3.6 kB  00:00:00     
centos7-fcgi-ceph                                                                                                                                                              |  951 B  00:00:00     
epel                                                                                                                                                                           | 4.3 kB  00:00:00     
extras                                                                                                                                                                         | 3.4 kB  00:00:00     
lab-extras                                                                                                                                                                     |  951 B  00:00:00     
updates                                                                                                                                                                        | 3.4 kB  00:00:00     
Determining fastest mirrors
 * base: mirror.symnds.com
 * epel: fedora-epel.mirror.lstn.net
 * extras: mirror.symnds.com
 * updates: mirror.symnds.com
centos7-fcgi-ceph                                                                                                                                                                                 3/3
lab-extras                                                                                                                                                                                        2/2
Installed Packages
Name        : chrony
Arch        : x86_64
Version     : 1.29.1
Release     : 1.el7.centos
Size        : 554 k
Repo        : installed
From repo   : anaconda
Summary     : An NTP client/server
URL         : http://chrony.tuxfamily.org
License     : GPLv2
Description : A client/server for the Network Time Protocol, this program keeps your
            : computer's clock accurate. It was specially designed to support
            : systems with intermittent internet connections, but it also works well
            : in permanently connected environments. It can use also hardware reference
            : clocks, system real-time clock or manual input as time references.

Available Packages
Name        : chrony
Arch        : x86_64
Version     : 2.1.1
Release     : 1.el7.centos
Size        : 280 k
Repo        : base/7/x86_64
Summary     : An NTP client/server
URL         : http://chrony.tuxfamily.org
License     : GPLv2
Description : A client/server for the Network Time Protocol, this program keeps your
            : computer's clock accurate. It was specially designed to support
            : systems with intermittent internet connections, but it also works well
            : in permanently connected environments. It can use also hardware reference
            : clocks, system real-time clock or manual input as time references.

[ubuntu@smithi012 ~]$

Actions

Copy link