Actions
Bug #40743
closed"SELinux denials found" in ceph-deploy/nautilus
% Done:
0%
Description
Run: http://pulpito.ceph.com/sage-2019-07-11_16:58:04-ceph-deploy-master-distro-basic-mira/
Jobs: all
Logs: http://qa-proxy.ceph.com/teuthology/sage-2019-07-11_16:58:04-ceph-deploy-master-distro-basic-mira/4110688/teuthology.log
SELinux denials found on ubuntu@mira111.front.sepia.ceph.com: ['type=AVC msg=audit(1562873206.107:6783): avc: denied { getattr } for pid=27073 comm="fn_anonymous" path="/run/udev/data/b8:16" dev="tmpfs" ino=171147 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1562873121.637:6464): avc: denied { getattr } for pid=25719 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1562873206.107:6782): avc: denied { read } for pid=27073 comm="fn_anonymous" name="b8:16" dev="tmpfs" ino=171147 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1562873220.884:6841): avc: denied { open } for pid=27750 comm="fn_anonymous" path="/run/udev/data/b8:48" dev="tmpfs" ino=169443 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1562873132.862:6512): avc: denied { getattr } for pid=25719 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1562873220.884:6841): avc: denied { read } for pid=27750 comm="fn_anonymous" name="b8:48" dev="tmpfs" ino=169443 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1562873220.885:6842): avc: denied { getattr } for pid=27750 comm="fn_anonymous" path="/run/udev/data/b8:48" dev="tmpfs" ino=169443 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1562873206.107:6782): avc: denied { open } for pid=27073 comm="fn_anonymous" path="/run/udev/data/b8:16" dev="tmpfs" ino=171147 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1']
Updated by Yuri Weinstein almost 5 years ago
- Subject changed from "SELinux denials found" in ceph-deplpy/nautilus to "SELinux denials found" in ceph-deploy/nautilus
Updated by Sage Weil over 4 years ago
- Status changed from New to Can't reproduce
Updated by Brad Hubbard about 4 years ago
Note that the above run is not using ceph-deploy, but rather ceph-ansible.
Updated by Brad Hubbard about 4 years ago
- Status changed from Can't reproduce to New
Updated by Brad Hubbard about 4 years ago
- Related to Bug #43064: "SELinux denials found" in ceph-deploy added
Updated by Brad Hubbard about 4 years ago
SELinux is preventing /usr/bin/ceph-osd from using the setsched access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ceph-osd should be allowed setsched access on processes labeled ceph_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'fn_anonymous' --raw | audit2allow -M my-fnanonymous # semodule -i my-fnanonymous.pp Additional Information: Source Context system_u:system_r:ceph_t:s0 Target Context system_u:system_r:ceph_t:s0 Target Objects Unknown [ process ] Source fn_anonymous Source Path /usr/bin/ceph-osd Port <Unknown> Host <Unknown> Source RPM Packages ceph-osd-14.2.7-437.geae77db.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-252.el7_7.6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name smithi093 Platform Linux smithi093 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-02-10 03:16:46 UTC Last Seen 2020-02-10 03:16:46 UTC Local ID 0f02f878-2aac-4683-b803-67bc4deea7ad Raw Audit Messages type=AVC msg=audit(1581304606.562:6693): avc: denied { setsched } for pid=14311 comm="fn_anonymous" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1581304606.562:6693): arch=x86_64 syscall=sched_setaffinity success=yes exit=0 a0=37e7 a1=8 a2=560699b8a7b0 a3=7f0ccd7740e0 items=0 ppid=1 pid=14311 auid=4294967295 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=167 sgid=167 fsgid=167 tty=(none) ses=4294967295 comm=fn_anonymous exe=/usr/bin/ceph-osd subj=system_u:system_r:ceph_t:s0 key=(null) Hash: fn_anonymous,ceph_t,ceph_t,process,setsched
Updated by Brad Hubbard about 4 years ago
SELinux is preventing /usr/bin/ceph-mon from getattr access on the file /proc/kcore. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ceph-mon should be allowed getattr access on the kcore file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ms_dispatch' --raw | audit2allow -M my-msdispatch # semodule -i my-msdispatch.pp Additional Information: Source Context system_u:system_r:ceph_t:s0 Target Context system_u:object_r:proc_kcore_t:s0 Target Objects /proc/kcore [ file ] Source ms_dispatch Source Path /usr/bin/ceph-mon Port <Unknown> Host <Unknown> Source RPM Packages ceph-mon-14.2.7-437.geae77db.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-252.el7_7.6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name smithi093 Platform Linux smithi093 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-02-10 03:14:06 UTC Last Seen 2020-02-10 03:14:06 UTC Local ID 0ba12610-4b86-4a69-82bc-292d8b04da10 Raw Audit Messages type=AVC msg=audit(1581304446.209:5735): avc: denied { getattr } for pid=8319 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532039 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1581304446.209:5735): arch=x86_64 syscall=newfstatat success=yes exit=0 a0=21 a1=55a4e81f40eb a2=7f7c050c3880 a3=0 items=0 ppid=1 pid=8319 auid=4294967295 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=167 sgid=1 67 fsgid=167 tty=(none) ses=4294967295 comm=ms_dispatch exe=/usr/bin/ceph-mon subj=system_u:system_r:ceph_t:s0 key=(null) Hash: ms_dispatch,ceph_t,proc_kcore_t,file,getattr
Updated by Brad Hubbard about 4 years ago
Looks like the setsched issue might be new. Let me know if we need a new tracker for that one.
Updated by Brad Hubbard about 4 years ago
Seeing the 'setsched' fn_anonymous denial on master as well.
Updated by Brad Hubbard about 4 years ago
sectched denial being handled in https://tracker.ceph.com/issues/44196
Updated by Brad Hubbard about 4 years ago
- Related to Bug #44196: selinux setsched denials for 'fn_anonymous' added
Updated by Brad Hubbard about 4 years ago
Full description of the getattr on /proc/kcore denial at https://tracker.ceph.com/issues/43064#note-10
Updated by Brad Hubbard about 4 years ago
# ausearch -c 'ms_dispatch' --raw | audit2allow -M my-msdispatch ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-msdispatch.pp # cat my-msdispatch.te module my-msdispatch 1.0; require { type ceph_t; type proc_kcore_t; class file getattr; } #============= ceph_t ============== allow ceph_t proc_kcore_t:file getattr;
Updated by Brad Hubbard almost 4 years ago
- Status changed from New to Fix Under Review
- Assignee set to Brad Hubbard
Updated by Brad Hubbard almost 4 years ago
- Status changed from Fix Under Review to In Progress
Updated by Yuri Weinstein almost 4 years ago
Updated by Sage Weil almost 3 years ago
- Status changed from In Progress to Resolved
Actions