Actions
Bug #40743
closed"SELinux denials found" in ceph-deploy/nautilus
% Done:
0%
Description
Run: http://pulpito.ceph.com/sage-2019-07-11_16:58:04-ceph-deploy-master-distro-basic-mira/
Jobs: all
Logs: http://qa-proxy.ceph.com/teuthology/sage-2019-07-11_16:58:04-ceph-deploy-master-distro-basic-mira/4110688/teuthology.log
SELinux denials found on ubuntu@mira111.front.sepia.ceph.com: ['type=AVC
msg=audit(1562873206.107:6783): avc: denied { getattr } for pid=27073
comm="fn_anonymous" path="/run/udev/data/b8:16" dev="tmpfs" ino=171147
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1562873121.637:6464): avc: denied { getattr } for
pid=25719 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1562873206.107:6782): avc: denied { read } for
pid=27073 comm="fn_anonymous" name="b8:16" dev="tmpfs" ino=171147
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1562873220.884:6841): avc: denied { open } for
pid=27750 comm="fn_anonymous" path="/run/udev/data/b8:48" dev="tmpfs"
ino=169443 scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1562873132.862:6512): avc: denied { getattr } for
pid=25719 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1562873220.884:6841): avc: denied { read } for
pid=27750 comm="fn_anonymous" name="b8:48" dev="tmpfs" ino=169443
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1562873220.885:6842): avc: denied { getattr } for
pid=27750 comm="fn_anonymous" path="/run/udev/data/b8:48" dev="tmpfs"
ino=169443 scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1562873206.107:6782): avc: denied { open } for
pid=27073 comm="fn_anonymous" path="/run/udev/data/b8:16" dev="tmpfs"
ino=171147 scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1']
Updated by Yuri Weinstein almost 5 years ago
- Subject changed from "SELinux denials found" in ceph-deplpy/nautilus to "SELinux denials found" in ceph-deploy/nautilus
Updated by Sage Weil over 4 years ago
- Status changed from New to Can't reproduce
Updated by Brad Hubbard about 4 years ago
Note that the above run is not using ceph-deploy, but rather ceph-ansible.
Updated by Brad Hubbard about 4 years ago
- Status changed from Can't reproduce to New
Updated by Brad Hubbard about 4 years ago
- Related to Bug #43064: "SELinux denials found" in ceph-deploy added
Updated by Brad Hubbard about 4 years ago
SELinux is preventing /usr/bin/ceph-osd from using the setsched access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that ceph-osd should be allowed setsched access on processes labeled ceph_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fn_anonymous' --raw | audit2allow -M my-fnanonymous
# semodule -i my-fnanonymous.pp
Additional Information:
Source Context system_u:system_r:ceph_t:s0
Target Context system_u:system_r:ceph_t:s0
Target Objects Unknown [ process ]
Source fn_anonymous
Source Path /usr/bin/ceph-osd
Port <Unknown>
Host <Unknown>
Source RPM Packages ceph-osd-14.2.7-437.geae77db.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-252.el7_7.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name smithi093
Platform Linux smithi093 3.10.0-1062.12.1.el7.x86_64 #1 SMP
Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-02-10 03:16:46 UTC
Last Seen 2020-02-10 03:16:46 UTC
Local ID 0f02f878-2aac-4683-b803-67bc4deea7ad
Raw Audit Messages
type=AVC msg=audit(1581304606.562:6693): avc: denied { setsched } for pid=14311 comm="fn_anonymous" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1581304606.562:6693): arch=x86_64 syscall=sched_setaffinity success=yes exit=0 a0=37e7 a1=8 a2=560699b8a7b0 a3=7f0ccd7740e0 items=0 ppid=1 pid=14311 auid=4294967295 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=167 sgid=167 fsgid=167 tty=(none) ses=4294967295 comm=fn_anonymous exe=/usr/bin/ceph-osd subj=system_u:system_r:ceph_t:s0 key=(null)
Hash: fn_anonymous,ceph_t,ceph_t,process,setsched
Updated by Brad Hubbard about 4 years ago
SELinux is preventing /usr/bin/ceph-mon from getattr access on the file /proc/kcore.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that ceph-mon should be allowed getattr access on the kcore file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ms_dispatch' --raw | audit2allow -M my-msdispatch
# semodule -i my-msdispatch.pp
Additional Information:
Source Context system_u:system_r:ceph_t:s0
Target Context system_u:object_r:proc_kcore_t:s0
Target Objects /proc/kcore [ file ]
Source ms_dispatch
Source Path /usr/bin/ceph-mon
Port <Unknown>
Host <Unknown>
Source RPM Packages ceph-mon-14.2.7-437.geae77db.el7.x86_64
Target RPM Packages Policy RPM selinux-policy-3.13.1-252.el7_7.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name smithi093
Platform Linux smithi093 3.10.0-1062.12.1.el7.x86_64 #1 SMP
Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-02-10 03:14:06 UTC
Last Seen 2020-02-10 03:14:06 UTC
Local ID 0ba12610-4b86-4a69-82bc-292d8b04da10
Raw Audit Messages
type=AVC msg=audit(1581304446.209:5735): avc: denied { getattr } for pid=8319 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532039 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
permissive=1
type=SYSCALL msg=audit(1581304446.209:5735): arch=x86_64 syscall=newfstatat success=yes exit=0 a0=21 a1=55a4e81f40eb a2=7f7c050c3880 a3=0 items=0 ppid=1 pid=8319 auid=4294967295 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=167 sgid=1
67 fsgid=167 tty=(none) ses=4294967295 comm=ms_dispatch exe=/usr/bin/ceph-mon subj=system_u:system_r:ceph_t:s0 key=(null)
Hash: ms_dispatch,ceph_t,proc_kcore_t,file,getattr
Updated by Brad Hubbard about 4 years ago
Looks like the setsched issue might be new. Let me know if we need a new tracker for that one.
Updated by Brad Hubbard about 4 years ago
Seeing the 'setsched' fn_anonymous denial on master as well.
Updated by Brad Hubbard about 4 years ago
sectched denial being handled in https://tracker.ceph.com/issues/44196
Updated by Brad Hubbard about 4 years ago
- Related to Bug #44196: selinux setsched denials for 'fn_anonymous' added
Updated by Brad Hubbard about 4 years ago
Full description of the getattr on /proc/kcore denial at https://tracker.ceph.com/issues/43064#note-10
Updated by Brad Hubbard about 4 years ago
# ausearch -c 'ms_dispatch' --raw | audit2allow -M my-msdispatch
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-msdispatch.pp
# cat my-msdispatch.te
module my-msdispatch 1.0;
require {
type ceph_t;
type proc_kcore_t;
class file getattr;
}
#============= ceph_t ==============
allow ceph_t proc_kcore_t:file getattr;
Updated by Brad Hubbard almost 4 years ago
- Status changed from New to Fix Under Review
- Assignee set to Brad Hubbard
Updated by Brad Hubbard almost 4 years ago
- Status changed from Fix Under Review to In Progress
Updated by Yuri Weinstein almost 4 years ago
Updated by Sage Weil almost 3 years ago
- Status changed from In Progress to Resolved
Actions