Project

General

Profile

Bug #14244

"SELinux denials found" in rados-jewel-distro-basic-smithi

Added by Yuri Weinstein over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
rados
Pull request ID:
Crash signature:

Description

Run: http://pulpito.ceph.com/teuthology-2016-01-02_19:00:08-rados-jewel-distro-basic-smithi/
Jobs: ['11937', '11938', '11965']
Logs: http://qa-proxy.ceph.com/teuthology/teuthology-2016-01-02_19:00:08-rados-jewel-distro-basic-smithi/11937/teuthology.log

2016-01-04T11:04:58.581 DEBUG:teuthology.task.selinux:ubuntu@smithi012.front.sepia.ceph.com has 1 denials
2016-01-04T11:04:58.582 ERROR:teuthology.run_tasks:Manager failed: selinux
Traceback (most recent call last):
  File "/home/teuthworker/src/teuthology_master/teuthology/run_tasks.py", line 125, in run_tasks
    suppress = manager.__exit__(*exc_info)
  File "/home/teuthworker/src/teuthology_master/teuthology/task/__init__.py", line 134, in __exit__
    self.teardown()
  File "/home/teuthworker/src/teuthology_master/teuthology/task/selinux.py", line 110, in teardown
    self.get_new_denials()
  File "/home/teuthworker/src/teuthology_master/teuthology/task/selinux.py", line 158, in get_new_denials
    denials=new_denials[remote.name])
SELinuxError: SELinux denials found on ubuntu@smithi012.front.sepia.ceph.com: ['type=AVC msg=audit(1451931237.151:8195): avc:  denied  { search } for  pid=30751 comm=72733A6D61696E20513A526567 name="cephtest" dev="sda1" ino=8650942 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir']

Related issues

Related to Ceph - Bug #14660: selinux denials during rbd test run Closed 02/05/2016

History

#1 Updated by John Spray over 4 years ago

  • Priority changed from Normal to High

Also seeing this frequently in FS testing. Example:

[15110] fs/basic/{clusters/fixed-2-ucephfs.yaml debug/mds_client.yaml dirfrag/frag_enable.yaml fs/btrfs.yaml inline/no.yaml overrides/whitelist_wrongly_marked_down.yaml tasks/cfuse_workunit_kernel_untar_build.yaml}
-----------------------------------------------------------------
time: 01:09:29
info: http://pulpito.ceph.com/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15110/
log: http://qa-proxy.ceph.com/teuthology/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15110/

SELinux denials found on :
['type=USER_AVC msg=audit(1452174237.087:12584): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=\'avc:
denied { status } for auid=n/a uid=0 gid=0
path="/usr/lib/systemd/system/chronyd.service" cmdline="systemctl is-active
-q chronyd.service" scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?\'']

[15145] fs/traceless/{clusters/fixed-2-ucephfs.yaml debug/mds_client.yaml dirfrag/frag_enable.yaml fs/btrfs.yaml overrides/whitelist_wrongly_marked_down.yaml tasks/cfuse_workunit_suites_dbench.yaml traceless/50pc.yaml}
-----------------------------------------------------------------
time: 00:56:20
info: http://pulpito.ceph.com/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15145/
log: http://qa-proxy.ceph.com/teuthology/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15145/

SELinux denials found on :
['type=USER_AVC msg=audit(1452181408.897:7281): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg=\'avc: denied {
status } for auid=n/a uid=0 gid=0
path="/usr/lib/systemd/system/chronyd.service" cmdline="systemctl is-active
-q chronyd.service" scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?\'']

#2 Updated by Gregory Meno over 4 years ago

  • Affected Versions v0.21.1 added

Looks like the issue could be resolved by requireing a new version of chrony, we've got access to it in base package repo

[ubuntu@smithi012 ~]$ lsb_release -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID:    CentOS
Description:    CentOS Linux release 7.1.1503 (Core) 
Release:    7.1.1503
Codename:    Core
[ubuntu@smithi012 ~]$ rpm -qa | grep chrony
chrony-1.29.1-1.el7.centos.x86_64
[ubuntu@smithi012 ~]$ 

=============================
[ubuntu@smithi012 ~]$ yum info chrony
Loaded plugins: fastestmirror, langpacks, priorities
base                                                                                                                                                                           | 3.6 kB  00:00:00     
centos7-fcgi-ceph                                                                                                                                                              |  951 B  00:00:00     
epel                                                                                                                                                                           | 4.3 kB  00:00:00     
extras                                                                                                                                                                         | 3.4 kB  00:00:00     
lab-extras                                                                                                                                                                     |  951 B  00:00:00     
updates                                                                                                                                                                        | 3.4 kB  00:00:00     
Determining fastest mirrors
 * base: mirror.symnds.com
 * epel: fedora-epel.mirror.lstn.net
 * extras: mirror.symnds.com
 * updates: mirror.symnds.com
centos7-fcgi-ceph                                                                                                                                                                                 3/3
lab-extras                                                                                                                                                                                        2/2
Installed Packages
Name        : chrony
Arch        : x86_64
Version     : 1.29.1
Release     : 1.el7.centos
Size        : 554 k
Repo        : installed
From repo   : anaconda
Summary     : An NTP client/server
URL         : http://chrony.tuxfamily.org
License     : GPLv2
Description : A client/server for the Network Time Protocol, this program keeps your
            : computer's clock accurate. It was specially designed to support
            : systems with intermittent internet connections, but it also works well
            : in permanently connected environments. It can use also hardware reference
            : clocks, system real-time clock or manual input as time references.

Available Packages
Name        : chrony
Arch        : x86_64
Version     : 2.1.1
Release     : 1.el7.centos
Size        : 280 k
Repo        : base/7/x86_64
Summary     : An NTP client/server
URL         : http://chrony.tuxfamily.org
License     : GPLv2
Description : A client/server for the Network Time Protocol, this program keeps your
            : computer's clock accurate. It was specially designed to support
            : systems with intermittent internet connections, but it also works well
            : in permanently connected environments. It can use also hardware reference
            : clocks, system real-time clock or manual input as time references.

[ubuntu@smithi012 ~]$ 

#4 Updated by Sage Weil over 4 years ago

  • Priority changed from High to Urgent

#5 Updated by Vasu Kulkarni over 4 years ago

I started seeing denials from chronyd on rhel as well, I have updated the pr which ignores dmidecode to ignore chronyd denials as well

https://github.com/ceph/teuthology/pull/736

#9 Updated by Loic Dachary over 4 years ago

  • Related to Bug #14660: selinux denials during rbd test run added

#11 Updated by Vasu Kulkarni over 4 years ago

  • Status changed from New to Fix Under Review

#12 Updated by Zack Cerza over 4 years ago

Is anyone tracking the actual chrony bug/fix?

#13 Updated by Sage Weil over 4 years ago

  • Status changed from Fix Under Review to Resolved

Also available in: Atom PDF