Actions
Bug #14870
closedselinux 'dac_override' denials
% Done:
0%
Source:
other
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
We are hitting a couple of denials like these. This suggests that we are accessing files owned by a regular ceph user with root user.
type=AVC msg=audit(1454632967.188:3624): avc: denied { dac_override } for pid=19864 comm="ceph-osd" capability=1 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability type=AVC msg=audit(1454632971.385:3635): avc: denied { dac_override } for pid=20353 comm="ceph-osd" capability=1 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability type=AVC msg=audit(1454633045.627:3777): avc: denied { dac_override } for pid=21709 comm="ceph-osd" capability=1 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability', type=AVC msg=audit(1454632981.199:3759): avc: denied { dac_override } for pid=20811 comm="ceph-osd" capability=1 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability', type=AVC msg=audit(1454632980.825:3756): avc: denied { dac_override } for pid=20786 comm="ceph-osd" capability=1 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability', type=AVC msg=audit(1454633048.389:3783): avc: denied { dac_override } for pid=22052 comm="ceph-osd" capability=1 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability', type=AVC msg=audit(1454632903.971:3609): avc: denied { dac_override } for pid=19076 comm="ceph-osd" capability=1 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability']
I think this is happening because we run ceph-osd in ceph-disk a couple of times without telling it to use ceph user/group.
Updated by Boris Ranto about 8 years ago
- Copied from Bug #14660: selinux denials during rbd test run added
Updated by Boris Ranto about 8 years ago
- Status changed from New to Resolved
This should be resolved in latest master.
Actions