Bug #15125
closed"SELinux denials found on ubuntu@smithi014.front.sepia.ceph.com" in rados-jewel-distro-basic-smithi
0%
Description
Run: http://pulpito.ceph.com/teuthology-2016-03-12_22:00:02-rados-jewel-distro-basic-smithi/
Job: ['57338']
Logs: http://qa-proxy.ceph.com/teuthology/teuthology-2016-03-12_22:00:02-rados-jewel-distro-basic-smithi/57338/teuthology.log
SELinuxError: SELinux denials found on ubuntu@smithi014.front.sepia.ceph.com: ['type=AVC msg=audit(1457925841.589:32716): avc: denied { setattr } for pid=30569 comm="logrotate" name="logrotate.status.tmp" dev="sda1" ino=11798071 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1457925841.498:32713): avc: denied { getattr } for pid=30569 comm="logrotate" path="/var/lib/logrotate.status" dev="sda1" ino=11798238 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1457925841.498:32714): avc: denied { open } for pid=30569 comm="logrotate" path="/var/lib/logrotate.status" dev="sda1" ino=11798238 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1457925841.589:32715): avc: denied { write } for pid=30569 comm="logrotate" path="/var/lib/logrotate.status.tmp" dev="sda1" ino=11798071 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1457925841.613:32717): avc: denied { unlink } for pid=30569 comm="logrotate" name="logrotate.status" dev="sda1" ino=11798238 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1457925841.589:32715): avc: denied { create } for pid=30569 comm="logrotate" name="logrotate.status.tmp" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1457925841.498:32714): avc: denied { read } for pid=30569 comm="logrotate" name="logrotate.status" dev="sda1" ino=11798238 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1457925841.613:32717): avc: denied { rename } for pid=30569 comm="logrotate" name="logrotate.status.tmp" dev="sda1" ino=11798071 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file']
Updated by Nathan Cutler about 8 years ago
More selinux denials found in http://pulpito.ceph.com/smithfarm-2016-03-21_08:59:26-ceph-deploy:basic-wip-13955-infernalis---basic-multi/ (jobs 77618 and 77620) - the command tripping them appears to be "systemctl enable ceph.target"
Updated by Vasu Kulkarni about 8 years ago
Regarding ' systemctl enable ceph.target" , it was discussed with boris on another ticket and has nothing to do with Ceph. I will raising a bz for systemd group, In the meantime we should just add overrides to ignore this and logrotate.
Updated by Nathan Cutler about 8 years ago
AFAICT these failures are happening in lots of different suites. One solution would be to add overrides for all SELinuxErrors to all suites and all standalone tests, but that doesn't seem right somehow.
Updated by Greg Farnum about 7 years ago
- Status changed from New to Resolved
We still have periodic SELinux issues on the test clusters, but the combination of overrides for stuff we can't fix, and fixing what we can, appears to have held up.