Project

General

Profile

Bug #14870

selinux 'dac_override' denials

Added by Boris Ranto almost 7 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

We are hitting a couple of denials like these. This suggests that we are accessing files owned by a regular ceph user with root user.

type=AVC msg=audit(1454632967.188:3624): avc:  denied  { dac_override } for  pid=19864 comm="ceph-osd" capability=1  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability
type=AVC msg=audit(1454632971.385:3635): avc:  denied  { dac_override } for  pid=20353 comm="ceph-osd" capability=1  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability
type=AVC msg=audit(1454633045.627:3777): avc:  denied  { dac_override } for  pid=21709 comm="ceph-osd" capability=1  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability', 
type=AVC msg=audit(1454632981.199:3759): avc:  denied  { dac_override } for  pid=20811 comm="ceph-osd" capability=1  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability', 
type=AVC msg=audit(1454632980.825:3756): avc:  denied  { dac_override } for  pid=20786 comm="ceph-osd" capability=1  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability', 
type=AVC msg=audit(1454633048.389:3783): avc:  denied  { dac_override } for  pid=22052 comm="ceph-osd" capability=1  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability', 
type=AVC msg=audit(1454632903.971:3609): avc:  denied  { dac_override } for  pid=19076 comm="ceph-osd" capability=1  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability']

I think this is happening because we run ceph-osd in ceph-disk a couple of times without telling it to use ceph user/group.


Related issues

Copied from Ceph - Bug #14660: selinux denials during rbd test run Closed 02/05/2016

Associated revisions

Revision 519b03f4 (diff)
Added by Boris Ranto over 6 years ago

selinux: allow dac_override capability

Fixes: #14870
Signed-off-by: Boris Ranto <>

History

#1 Updated by Boris Ranto almost 7 years ago

  • Copied from Bug #14660: selinux denials during rbd test run added

#2 Updated by Boris Ranto over 6 years ago

  • Status changed from New to Resolved

This should be resolved in latest master.

Also available in: Atom PDF