Project

General

Profile

Bug #41413

SELinux denials in 14.2.3 RC runs

Added by Yuri Weinstein 25 days ago. Updated 22 days ago.

Status:
Resolved
Priority:
Urgent
Assignee:
-
Category:
-
Target version:
-
Start date:
08/23/2019
Due date:
% Done:

0%

Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
rados, rbd
Pull request ID:

Description

Runs:
http://pulpito.ceph.com/yuriw-2019-08-23_15:09:01-rados-wip_nautilus_14.2.3_RC1-distro-basic-smithi/
http://pulpito.ceph.com/yuriw-2019-08-22_02:34:09-rbd-wip_nautilus_14.2.3_RC1-distro-basic-smithi/
Jons: manye
Logs: http://qa-proxy.ceph.com/teuthology/yuriw-2019-08-23_15:09:01-rados-wip_nautilus_14.2.3_RC1-distro-basic-smithi/4245449/teuthology.log

2019-08-23T16:34:29.250 INFO:teuthology.orchestra.run.smithi173:> sudo grep 'avc: .*denied' /var/log/audit/audit.log | grep -v '\(comm="dmidecode"\|chronyd.service\|name="cephtest"\|scontext=system_u:system_r:nrpe_t:s0\|scontext=system_u:system_r:pcp_pmlogger_t\|scontext=system_u:system_r:pcp_pmcd_t:s0\|comm="rhsmd"\|scontext=system_u:system_r:syslogd_t:s0\|tcontext=system_u:system_r:nrpe_t:s0\|comm="updatedb"\)'
2019-08-23T16:34:29.299 INFO:teuthology.orchestra.run.smithi173.stdout:type=AVC msg=audit(1566576854.565:3054): avc:  denied  { read } for  pid=21938 comm="smartd" name="nvme0" dev="devtmpfs" ino=11574 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1
2019-08-23T16:34:29.299 INFO:teuthology.orchestra.run.smithi173.stdout:type=AVC msg=audit(1566576854.565:3054): avc:  denied  { open } for  pid=21938 comm="smartd" path="/dev/nvme0" dev="devtmpfs" ino=11574 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1
2019-08-23T16:34:29.299 INFO:teuthology.orchestra.run.smithi173.stdout:type=AVC msg=audit(1566576854.565:3055): avc:  denied  { ioctl } for  pid=21938 comm="smartd" path="/dev/nvme0" dev="devtmpfs" ino=11574 ioctlcmd=4e40 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1
2019-08-23T16:34:29.300 DEBUG:teuthology.task.selinux:ubuntu@smithi173.front.sepia.ceph.com has 3 denials
2019-08-23T16:34:29.300 INFO:teuthology.orchestra.run.smithi107:Running:
2019-08-23T16:34:29.300 INFO:teuthology.orchestra.run.smithi107:> sudo grep 'avc: .*denied' /var/log/audit/audit.log | grep -v '\(comm="dmidecode"\|chronyd.service\|name="cephtest"\|scontext=system_u:system_r:nrpe_t:s0\|scontext=system_u:system_r:pcp_pmlogger_t\|scontext=system_u:system_r:pcp_pmcd_t:s0\|comm="rhsmd"\|scontext=system_u:system_r:syslogd_t:s0\|tcontext=system_u:system_r:nrpe_t:s0\|comm="updatedb"\)'
2019-08-23T16:34:29.348 INFO:teuthology.orchestra.run.smithi107.stdout:type=AVC msg=audit(1566576855.302:3057): avc:  denied  { read } for  pid=21920 comm="smartd" name="nvme0" dev="devtmpfs" ino=9397 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1
2019-08-23T16:34:29.349 INFO:teuthology.orchestra.run.smithi107.stdout:type=AVC msg=audit(1566576855.302:3057): avc:  denied  { open } for  pid=21920 comm="smartd" path="/dev/nvme0" dev="devtmpfs" ino=9397 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1
2019-08-23T16:34:29.349 INFO:teuthology.orchestra.run.smithi107.stdout:type=AVC msg=audit(1566576855.302:3058): avc:  denied  { ioctl } for  pid=21920 comm="smartd" path="/dev/nvme0" dev="devtmpfs" ino=9397 ioctlcmd=4e40 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1
2019-08-23T16:34:29.349 DEBUG:teuthology.task.selinux:ubuntu@smithi107.front.sepia.ceph.com has 3 denials
2019-08-23T16:34:29.349 ERROR:teuthology.run_tasks:Manager failed: selinux
Traceback (most recent call last):
  File "/home/teuthworker/src/git.ceph.com_git_teuthology_master/teuthology/run_tasks.py", line 159, in run_tasks
    suppress = manager.__exit__(*exc_info)
  File "/home/teuthworker/src/git.ceph.com_git_teuthology_master/teuthology/task/__init__.py", line 136, in __exit__
    self.teardown()
  File "/home/teuthworker/src/git.ceph.com_git_teuthology_master/teuthology/task/selinux.py", line 149, in teardown
    self.get_new_denials()
  File "/home/teuthworker/src/git.ceph.com_git_teuthology_master/teuthology/task/selinux.py", line 199, in get_new_denials
    denials=new_denials[remote.name])
SELinuxError: SELinux denials found on ubuntu@smithi173.front.sepia.ceph.com: ['type=AVC msg=audit(1566576854.565:3054): avc:  denied  { read } for  pid=21938 comm="smartd" name="nvme0" dev="devtmpfs" ino=11574 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1', 'type=AVC msg=audit(1566576854.565:3054): avc:  denied  { open } for  pid=21938 comm="smartd" path="/dev/nvme0" dev="devtmpfs" ino=11574 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1', 'type=AVC msg=audit(1566576854.565:3055): avc:  denied  { ioctl } for  pid=21938 comm="smartd" path="/dev/nvme0" dev="devtmpfs" ino=11574 ioctlcmd=4e40 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1']
2019-08-23T16:34:29.350 DEBUG:teuthology.run_tasks:Unwinding manager pcp

History

#1 Updated by David Galloway 25 days ago

I suspect this denial can be whitelisted. https://bugzilla.redhat.com/show_bug.cgi?id=1530018

We're seeing it now because selinux-policy was updated recently.

#3 Updated by Patrick Donnelly 22 days ago

  • Status changed from New to Resolved

Also available in: Atom PDF