Bug #24785: mimic selinux denials comm="tp_fstore_op / comm="ceph-osd dev=dm-0 and dm-1 - RADOS - Ceph

Actions

Copy link

Bug #24785

closed

mimic selinux denials comm="tp_fstore_op / comm="ceph-osd dev=dm-0 and dm-1

Added by Vasu Kulkarni almost 6 years ago. Updated almost 6 years ago.

Status:

Resolved

Priority:

Urgent

Assignee:

Boris Ranto

Category:

Target version:

% Done:

Source:

Tags:

Backport:

mimic luminous

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Component(RADOS):

Pull request ID:

Crash signature (v1):

Crash signature (v2):

Description


SELinux denials found on ubuntu@mira092.front.sepia.ceph.com: ['type=AVC msg=audit(1530692255.147:4559): avc: denied { write } for pid=11114 comm="ceph-osd" name="fsid" dev="dm-1" ino=37 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692241.055:4551): avc: denied { read } for pid=10316 comm="tp_fstore_op" name="meta" dev="dm-0" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.509:4487): avc: denied { remove_name } for pid=10316 comm="ceph-osd" name="fiemap_test" dev="dm-0" ino=50 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.509:4486): avc: denied { read write open } for pid=10316 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-0/fiemap_test" dev="dm-0" ino=50 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692241.055:4552): avc: denied { setattr } for pid=10316 comm="tp_fstore_op" name="meta" dev="dm-0" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692241.055:4550): avc: denied { write } for pid=10316 comm="tp_fstore_op" name="meta" dev="dm-0" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692409.339:4595): avc: denied { write } for pid=11114 comm="tp_fstore_op" name="meta" dev="dm-1" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.148:4563): avc: denied { remove_name } for pid=11114 comm="ceph-osd" name="fiemap_test" dev="dm-1" ino=50 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692408.997:4594): avc: denied { add_name } for pid=11114 comm="tp_fstore_op" name="rbd\\uid.testimg__head_57ED51E9__1" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692360.075:4582): avc: denied { add_name } for pid=11114 comm="tp_fstore_op" name="__head_00000003__1" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.160:4569): avc: denied { setattr } for pid=11114 comm="tp_fstore_op" name="meta" dev="dm-1" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.511:4490): avc: denied { read } for pid=10316 comm="ceph-osd" name="current" dev="dm-0" ino=40 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692241.055:4550): avc: denied { read write open } for pid=10316 comm="tp_fstore_op" path="/var/lib/ceph/osd/ceph-0/current/meta/inc\\uosdmap.6__0_B65F4796__none" dev="dm-0" ino=537288269 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692232.442:4479): avc: denied { open } for pid=10316 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-0/keyring" dev="dm-0" ino=49 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692409.339:4595): avc: denied { add_name } for pid=11114 comm="tp_fstore_op" name="inc\\uosdmap.32__0_F4E9D183__none" scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.146:4558): avc: denied { read } for pid=11114 comm="ceph-osd" name="journal" dev="dm-1" ino=35 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1530692232.514:4491): avc: denied { write } for pid=10316 comm="ceph-osd" name="omap" dev="dm-0" ino=268435488 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.525:4493): avc: denied { setattr } for pid=10316 comm="tp_fstore_op" name="meta" dev="dm-0" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.153:4567): avc: denied { write } for pid=11114 comm="ceph-osd" name="omap" dev="dm-1" ino=268435488 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.510:4489): avc: denied { getattr } for pid=10316 comm="ceph-osd" name="xattr_test" dev="dm-0" ino=50 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692241.054:4549): avc: denied { getattr } for pid=10316 comm="ms_dispatch" path="/var/lib/ceph/osd/ceph-0/current/meta/osdmap.5__0_FD6E4F71__none" dev="dm-0" ino=537288268 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692232.507:4482): avc: denied { read } for pid=10316 comm="ceph-osd" name="journal" dev="dm-0" ino=35 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=lnk_file', 'type=AVC msg=audit(1530692232.442:4480): avc: denied { getattr } for pid=10316 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-0/keyring" dev="dm-0" ino=49 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692241.055:4550): avc: denied { add_name } for pid=10316 comm="tp_fstore_op" name="inc\\uosdmap.6__0_B65F4796__none" scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.508:4483): avc: denied { write } for pid=10316 comm="ceph-osd" name="fsid" dev="dm-0" ino=37 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692255.155:4568): avc: denied { remove_name } for pid=11114 comm="ceph-osd" name="000009.dbtmp" dev="dm-1" ino=268435500 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.147:4561): avc: denied { write } for pid=11114 comm="ceph-osd" name="/" dev="dm-1" ino=32 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692360.070:4581): avc: denied { read } for pid=11114 comm="tp_fstore_op" name="1.13_head" dev="dm-1" ino=805306400 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.146:4557): avc: denied { read } for pid=11114 comm="ceph-osd" name="/" dev="dm-1" ino=32 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.508:4485): avc: denied { write } for pid=10316 comm="ceph-osd" name="/" dev="dm-0" ino=32 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.515:4492): avc: denied { rename } for pid=10316 comm="ceph-osd" name="000009.dbtmp" dev="dm-0" ino=268435500 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692232.508:4484): avc: denied { lock } for pid=10316 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-0/fsid" dev="dm-0" ino=37 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692232.515:4492): avc: denied { remove_name } for pid=10316 comm="ceph-osd" name="000009.dbtmp" dev="dm-0" ino=268435500 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692403.285:4592): avc: denied { read } for pid=10316 comm="tp_fstore_op" name="1.3d_head" dev="dm-0" ino=805306408 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.148:4562): avc: denied { add_name } for pid=11114 comm="ceph-osd" name="fiemap_test" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692255.147:4560): avc: denied { lock } for pid=11114 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-1/fsid" dev="dm-1" ino=37 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692255.153:4567): avc: denied { add_name } for pid=11114 comm="ceph-osd" name="000008.sst" scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692232.507:4481): avc: denied { read } for pid=10316 comm="ceph-osd" name="/" dev="dm-0" ino=32 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692360.070:4580): avc: denied { setattr } for pid=11114 comm="tp_fstore_op" name="1.13_head" dev="dm-1" ino=805306400 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692241.055:4553): avc: denied { setattr } for pid=10316 comm="tp_fstore_op" name="inc\\uosdmap.6__0_B65F4796__none" dev="dm-0" ino=537288269 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692255.083:4556): avc: denied { getattr } for pid=11114 comm="ceph-osd" path="/var/lib/ceph/osd/ceph-1/keyring" dev="dm-1" ino=49 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file', 'type=AVC msg=audit(1530692403.286:4593): avc: denied { setattr } for pid=10316 comm="tp_fstore_op" name="1.3d_head" dev="dm-0" ino=805306408 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692394.408:4583): avc: denied { remove_name } for pid=10316 comm="tp_fstore_op" name="rbd\\udata.11102ae8944a.0000000000000000__head_947F8936__1" dev="dm-0" ino=95 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir', 'type=AVC msg=audit(1530692409.340:4597): avc: denied { setattr } for pid=11114 comm="tp_fstore_op" name="meta" dev="dm-1" ino=537288256 scontext=system_u:system_r:ceph_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir',

Related issues 2 (0 open — 2 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Ceph » RADOS

Custom queries

Bug #24785

mimic selinux denials comm="tp_fstore_op / comm="ceph-osd dev=dm-0 and dm-1

Updated by John Spray almost 6 years ago

Updated by Boris Ranto almost 6 years ago

Updated by Vasu Kulkarni almost 6 years ago

Updated by Boris Ranto almost 6 years ago

Updated by Vasu Kulkarni almost 6 years ago

Updated by Vasu Kulkarni almost 6 years ago

Updated by Boris Ranto almost 6 years ago

Updated by Boris Ranto almost 6 years ago

Updated by Boris Ranto almost 6 years ago

Updated by Boris Ranto almost 6 years ago

Updated by Nathan Cutler almost 6 years ago

Updated by Nathan Cutler almost 6 years ago

Updated by Boris Ranto almost 6 years ago