Project

General

Profile

Actions
Copy link

Bug #40412

open

os/bluestore: osd_memory_target_cgroup_limit_ratio won't work with SELinux

Added by Radoslaw Zarzynski almost 5 years ago. Updated almost 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Radoslaw Zarzynski
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

When running in SELinux-enabled environment ceph-osd violates access policy because of reading the memory limits via cgroupfs:

type=AVC msg=audit(1559833707.366:1563): avc:  denied  { search } for  pid=22626 comm="ceph-osd" name="/" dev="tmpfs" ino=11449 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1559833707.366:1563): avc:  denied  { read } for  pid=22626 comm="ceph-osd" name="memory.limit_in_bytes" dev="cgroup" ino=10 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559833707.366:1563): avc:  denied  { open } for  pid=22626 comm="ceph-osd" path="/sys/fs/cgroup/memory/memory.limit_in_bytes" dev="cgroup" ino=10 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
...
type=AVC msg=audit(1559833707.366:1564): avc:  denied  { getattr } for  pid=22626 comm="ceph-osd" path="/sys/fs/cgroup/memory/memory.limit_in_bytes" dev="cgroup" ino=10 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1

These audit logs were emitted because of a call to `get_cgroup_memory_limit()`. At the moment `BlueStore::_set_cache_sizes()` is its exclusive client.

Actions
Copy link
 #1

Updated by Neha Ojha almost 5 years ago

  • Assignee set to Radoslaw Zarzynski
Actions
Copy link

Also available in: Atom PDF