Actions
Bug #24785
closedmimic selinux denials comm="tp_fstore_op / comm="ceph-osd dev=dm-0 and dm-1
% Done:
0%
Source:
Tags:
Backport:
mimic luminous
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(RADOS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
SELinux denials found on ubuntu@mira092.front.sepia.ceph.com: ['type=AVC msg=audit(1530692255.147:4559): avc: denied { write } for pid=11114 comm="ceph-osd" name="fsid" dev="dm-1" ino=37 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692241.055:4551): avc: denied { read } for pid=10316 comm="tp_fstore_op" name="meta" dev="dm-0" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.509:4487): avc: denied { remove_name } for pid=10316 comm="ceph-osd" name="fiemap_test" dev="dm-0" ino=50 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.509:4486): avc: denied { read write open } for pid=10316 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-0/fiemap_test" dev="dm-0" ino=50 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692241.055:4552): avc: denied { setattr } for pid=10316 comm="tp_fstore_op" name="meta" dev="dm-0" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692241.055:4550): avc: denied { write } for pid=10316 comm="tp_fstore_op" name="meta" dev="dm-0" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692409.339:4595): avc: denied { write } for pid=11114 comm="tp_fstore_op" name="meta" dev="dm-1" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.148:4563): avc: denied { remove_name } for pid=11114 comm="ceph-osd" name="fiemap_test" dev="dm-1" ino=50 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692408.997:4594): avc: denied { add_name } for pid=11114 comm="tp_fstore_op" name="rbd\\uid.testimg__head_57ED51E9__1" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692360.075:4582): avc: denied { add_name } for pid=11114 comm="tp_fstore_op" name="__head_00000003__1" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.160:4569): avc: denied { setattr } for pid=11114 comm="tp_fstore_op" name="meta" dev="dm-1" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.511:4490): avc: denied { read } for pid=10316 comm="ceph-osd" name="current" dev="dm-0" ino=40 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692241.055:4550): avc: denied { read write open } for pid=10316 comm="tp_fstore_op" path="/var/lib/ceph/osd/ceph-0/current/meta/inc\\uosdmap.6__0_B65F4796__none" dev="dm-0" ino=537288269 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692232.442:4479): avc: denied { open } for pid=10316 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-0/keyring" dev="dm-0" ino=49 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692409.339:4595): avc: denied { add_name } for pid=11114 comm="tp_fstore_op" name="inc\\uosdmap.32__0_F4E9D183__none" scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.146:4558): avc: denied { read } for pid=11114 comm="ceph-osd" name="journal" dev="dm-1" ino=35 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1530692232.514:4491): avc: denied { write } for pid=10316 comm="ceph-osd" name="omap" dev="dm-0" ino=268435488 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.525:4493): avc: denied { setattr } for pid=10316 comm="tp_fstore_op" name="meta" dev="dm-0" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.153:4567): avc: denied { write } for pid=11114 comm="ceph-osd" name="omap" dev="dm-1" ino=268435488 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.510:4489): avc: denied { getattr } for pid=10316 comm="ceph-osd" name="xattr_test" dev="dm-0" ino=50 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692241.054:4549): avc: denied { getattr } for pid=10316 comm="ms_dispatch" path="/var/lib/ceph/osd/ceph-0/current/meta/osdmap.5__0_FD6E4F71__none" dev="dm-0" ino=537288268 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692232.507:4482): avc: denied { read } for pid=10316 comm="ceph-osd" name="journal" dev="dm-0" ino=35 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1530692232.442:4480): avc: denied { getattr } for pid=10316 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-0/keyring" dev="dm-0" ino=49 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692241.055:4550): avc: denied { add_name } for pid=10316 comm="tp_fstore_op" name="inc\\uosdmap.6__0_B65F4796__none" scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.508:4483): avc: denied { write } for pid=10316 comm="ceph-osd" name="fsid" dev="dm-0" ino=37 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692255.155:4568): avc: denied { remove_name } for pid=11114 comm="ceph-osd" name="000009.dbtmp" dev="dm-1" ino=268435500 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.147:4561): avc: denied { write } for pid=11114 comm="ceph-osd" name="/" dev="dm-1" ino=32 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692360.070:4581): avc: denied { read } for pid=11114 comm="tp_fstore_op" name="1.13_head" dev="dm-1" ino=805306400 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.146:4557): avc: denied { read } for pid=11114 comm="ceph-osd" name="/" dev="dm-1" ino=32 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.508:4485): avc: denied { write } for pid=10316 comm="ceph-osd" name="/" dev="dm-0" ino=32 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.515:4492): avc: denied { rename } for pid=10316 comm="ceph-osd" name="000009.dbtmp" dev="dm-0" ino=268435500 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692232.508:4484): avc: denied { lock } for pid=10316 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-0/fsid" dev="dm-0" ino=37 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692232.515:4492): avc: denied { remove_name } for pid=10316 comm="ceph-osd" name="000009.dbtmp" dev="dm-0" ino=268435500 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692403.285:4592): avc: denied { read } for pid=10316 comm="tp_fstore_op" name="1.3d_head" dev="dm-0" ino=805306408 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.148:4562): avc: denied { add_name } for pid=11114 comm="ceph-osd" name="fiemap_test" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.147:4560): avc: denied { lock } for pid=11114 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-1/fsid" dev="dm-1" ino=37 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692255.153:4567): avc: denied { add_name } for pid=11114 comm="ceph-osd" name="000008.sst" scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.507:4481): avc: denied { read } for pid=10316 comm="ceph-osd" name="/" dev="dm-0" ino=32 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692360.070:4580): avc: denied { setattr } for pid=11114 comm="tp_fstore_op" name="1.13_head" dev="dm-1" ino=805306400 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692241.055:4553): avc: denied { setattr } for pid=10316 comm="tp_fstore_op" name="inc\\uosdmap.6__0_B65F4796__none" dev="dm-0" ino=537288269 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692255.083:4556): avc: denied { getattr } for pid=11114 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-1/keyring" dev="dm-1" ino=49 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692403.286:4593): avc: denied { setattr } for pid=10316 comm="tp_fstore_op" name="1.3d_head" dev="dm-0" ino=805306408 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692394.408:4583): avc: denied { remove_name } for pid=10316 comm="tp_fstore_op" name="rbd\\udata.11102ae8944a.0000000000000000__head_947F8936__1" dev="dm-0" ino=95 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692409.340:4597): avc: denied { setattr } for pid=11114 comm="tp_fstore_op" name="meta" dev="dm-1" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir',
Updated by John Spray almost 6 years ago
- Project changed from Ceph to RADOS
- Category deleted (
build)
Filing under RADOS because it appears to be OSD specific.
Updated by Boris Ranto almost 6 years ago
This points to a deeper issue. The target context seems to always be 'unlabeled_t'. That context means something like 'the label was not recognized' or was removed. However, the source context is ceph_t which means that the ceph policy was installed at least when the ceph daemons were trying to access the files with the unrecognized labels.
I would need more information about the tests to have a better idea what is going on. Is this a ceph-volume based deployment? What are the tests doing? Is there any package update/upgrade going on?
Updated by Vasu Kulkarni almost 6 years ago
This was a ceph-volume test with rbd workload, no upgrades, just fresh install, full logs at
http://pulpito.ceph.com/teuthology-2018-07-06_05:55:02-ceph-deploy-mimic-distro-basic-mira/2743485/
Updated by Boris Ranto almost 6 years ago
OK, it looks like we missed this in the previous tracker issue that mentioned it (it was actually a three part fix and we missed the third part -- updating ceph-volume).
The issue is that ceph-volume does not have any support for SELinux at the moment. I have started working on this in my wip-volume-selinux branch (pushed to ceph-ci) where I properly set the context of the root of the mounted OSD volume to the proper ceph context.
Could you re-run the test against my wip-volume-selinux branch? (in ceph-ci) Alternatively, can you point me to a command that you ran to schedule the test so that I could test myself?
Updated by Vasu Kulkarni almost 6 years ago
Cool, I will pickup and run your test, atm the load on workers is high, should have the results tomorrow eod.
Updated by Vasu Kulkarni over 5 years ago
Updated by Boris Ranto over 5 years ago
- Backport set to mimic luminous
The manual testing suggests this should fix this issue:
Updated by Boris Ranto over 5 years ago
- Status changed from New to Fix Under Review
- Priority changed from High to Urgent
Updated by Boris Ranto over 5 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Boris Ranto over 5 years ago
Updated by Nathan Cutler over 5 years ago
- Copied to Backport #25142: mimic: mimic selinux denials comm="tp_fstore_op / comm="ceph-osd dev=dm-0 and dm-1 added
Updated by Nathan Cutler over 5 years ago
- Copied to Backport #25143: luminous: mimic selinux denials comm="tp_fstore_op / comm="ceph-osd dev=dm-0 and dm-1 added
Updated by Boris Ranto over 5 years ago
- Status changed from Pending Backport to Resolved
Actions