Bug #14244
closed"SELinux denials found" in rados-jewel-distro-basic-smithi
0%
Description
Run: http://pulpito.ceph.com/teuthology-2016-01-02_19:00:08-rados-jewel-distro-basic-smithi/
Jobs: ['11937', '11938', '11965']
Logs: http://qa-proxy.ceph.com/teuthology/teuthology-2016-01-02_19:00:08-rados-jewel-distro-basic-smithi/11937/teuthology.log
2016-01-04T11:04:58.581 DEBUG:teuthology.task.selinux:ubuntu@smithi012.front.sepia.ceph.com has 1 denials 2016-01-04T11:04:58.582 ERROR:teuthology.run_tasks:Manager failed: selinux Traceback (most recent call last): File "/home/teuthworker/src/teuthology_master/teuthology/run_tasks.py", line 125, in run_tasks suppress = manager.__exit__(*exc_info) File "/home/teuthworker/src/teuthology_master/teuthology/task/__init__.py", line 134, in __exit__ self.teardown() File "/home/teuthworker/src/teuthology_master/teuthology/task/selinux.py", line 110, in teardown self.get_new_denials() File "/home/teuthworker/src/teuthology_master/teuthology/task/selinux.py", line 158, in get_new_denials denials=new_denials[remote.name]) SELinuxError: SELinux denials found on ubuntu@smithi012.front.sepia.ceph.com: ['type=AVC msg=audit(1451931237.151:8195): avc: denied { search } for pid=30751 comm=72733A6D61696E20513A526567 name="cephtest" dev="sda1" ino=8650942 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir']
Updated by John Spray over 8 years ago
- Priority changed from Normal to High
Also seeing this frequently in FS testing. Example:
[15110] fs/basic/{clusters/fixed-2-ucephfs.yaml debug/mds_client.yaml dirfrag/frag_enable.yaml fs/btrfs.yaml inline/no.yaml overrides/whitelist_wrongly_marked_down.yaml tasks/cfuse_workunit_kernel_untar_build.yaml}
-----------------------------------------------------------------
time: 01:09:29
info: http://pulpito.ceph.com/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15110/
log: http://qa-proxy.ceph.com/teuthology/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15110/
SELinux denials found on ubuntu@smithi006.front.sepia.ceph.com:
['type=USER_AVC msg=audit(1452174237.087:12584): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=\'avc:
denied { status } for auid=n/a uid=0 gid=0
path="/usr/lib/systemd/system/chronyd.service" cmdline="systemctl is-active
-q chronyd.service" scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?\'']
[15145] fs/traceless/{clusters/fixed-2-ucephfs.yaml debug/mds_client.yaml dirfrag/frag_enable.yaml fs/btrfs.yaml overrides/whitelist_wrongly_marked_down.yaml tasks/cfuse_workunit_suites_dbench.yaml traceless/50pc.yaml}
-----------------------------------------------------------------
time: 00:56:20
info: http://pulpito.ceph.com/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15145/
log: http://qa-proxy.ceph.com/teuthology/teuthology-2016-01-06_12:03:02-fs-jewel---basic-smithi/15145/
SELinux denials found on ubuntu@smithi006.front.sepia.ceph.com:
['type=USER_AVC msg=audit(1452181408.897:7281): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg=\'avc: denied {
status } for auid=n/a uid=0 gid=0
path="/usr/lib/systemd/system/chronyd.service" cmdline="systemctl is-active
-q chronyd.service" scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?\'']
Updated by Christina Meno over 8 years ago
- Affected Versions v0.21.1 added
Looks like the issue could be resolved by requireing a new version of chrony, we've got access to it in base package repo
[ubuntu@smithi012 ~]$ lsb_release -a LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch Distributor ID: CentOS Description: CentOS Linux release 7.1.1503 (Core) Release: 7.1.1503 Codename: Core [ubuntu@smithi012 ~]$ rpm -qa | grep chrony chrony-1.29.1-1.el7.centos.x86_64 [ubuntu@smithi012 ~]$ ============================= [ubuntu@smithi012 ~]$ yum info chrony Loaded plugins: fastestmirror, langpacks, priorities base | 3.6 kB 00:00:00 centos7-fcgi-ceph | 951 B 00:00:00 epel | 4.3 kB 00:00:00 extras | 3.4 kB 00:00:00 lab-extras | 951 B 00:00:00 updates | 3.4 kB 00:00:00 Determining fastest mirrors * base: mirror.symnds.com * epel: fedora-epel.mirror.lstn.net * extras: mirror.symnds.com * updates: mirror.symnds.com centos7-fcgi-ceph 3/3 lab-extras 2/2 Installed Packages Name : chrony Arch : x86_64 Version : 1.29.1 Release : 1.el7.centos Size : 554 k Repo : installed From repo : anaconda Summary : An NTP client/server URL : http://chrony.tuxfamily.org License : GPLv2 Description : A client/server for the Network Time Protocol, this program keeps your : computer's clock accurate. It was specially designed to support : systems with intermittent internet connections, but it also works well : in permanently connected environments. It can use also hardware reference : clocks, system real-time clock or manual input as time references. Available Packages Name : chrony Arch : x86_64 Version : 2.1.1 Release : 1.el7.centos Size : 280 k Repo : base/7/x86_64 Summary : An NTP client/server URL : http://chrony.tuxfamily.org License : GPLv2 Description : A client/server for the Network Time Protocol, this program keeps your : computer's clock accurate. It was specially designed to support : systems with intermittent internet connections, but it also works well : in permanently connected environments. It can use also hardware reference : clocks, system real-time clock or manual input as time references. [ubuntu@smithi012 ~]$
Updated by John Spray over 8 years ago
Updated by Vasu Kulkarni over 8 years ago
I started seeing denials from chronyd on rhel as well, I have updated the pr which ignores dmidecode to ignore chronyd denials as well
Updated by Yuri Weinstein over 8 years ago
More in rgw run:
http://pulpito.ceph.com/teuthology-2016-01-13_13:02:01-rgw-jewel-distro-basic-smithi/
Jobs: 28068,28119
Updated by Yuri Weinstein over 8 years ago
Updated by Yuri Weinstein about 8 years ago
Updated by Loïc Dachary about 8 years ago
- Related to Bug #14660: selinux denials during rbd test run added
Updated by Vasu Kulkarni about 8 years ago
- Status changed from New to Fix Under Review
Updated by Zack Cerza about 8 years ago
Is anyone tracking the actual chrony
bug/fix?
Updated by Sage Weil about 8 years ago
- Status changed from Fix Under Review to Resolved