Actions
Bug #43064
closed"SELinux denials found" in ceph-deploy
Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Description
Run: http://pulpito.ceph.com/teuthology-2019-11-29_05:55:03-ceph-deploy-nautilus-distro-basic-mira/
Jobs: ['4552133', '4552149', '4552153', '4552141', '4552137', '4552167', '4552159', '4552183', '4552125', '4552187', '4552175', '4552163']
Logs: http://qa-proxy.ceph.com/teuthology/teuthology-2019-11-29_05:55:03-ceph-deploy-nautilus-distro-basic-mira/4552125/teuthology.log
Failure: SELinux denials found on ubuntu@mira082.front.sepia.ceph.com: ['type=AVC msg=audit(1575016718.338:5935): avc: denied { read } for pid=4567 comm="fn_anonymous" name="b8:16" dev="tmpfs" ino=108139 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016718.338:5936): avc: denied { getattr } for pid=4567 comm="fn_anonymous" path="/run/udev/data/b8:16" dev="tmpfs" ino=108139 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016718.338:5935): avc: denied { open } for pid=4567 comm="fn_anonymous" path="/run/udev/data/b8:16" dev="tmpfs" ino=108139 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016733.611:5994): avc: denied { open } for pid=5200 comm="fn_anonymous" path="/run/udev/data/b8:48" dev="tmpfs" ino=109258 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016677.777:5674): avc: denied { getattr } for pid=3222 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016662.253:5617): avc: denied { getattr } for pid=3222 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016733.611:5994): avc: denied { read } for pid=5200 comm="fn_anonymous" name="b8:48" dev="tmpfs" ino=109258 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1575016733.611:5995): avc: denied { getattr } for pid=5200 comm="fn_anonymous" path="/run/udev/data/b8:48" dev="tmpfs" ino=109258 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1']
Updated by Yuri Weinstein over 4 years ago
Updated by Kefu Chai over 4 years ago
- Status changed from New to Pending Backport
- Backport set to mimic,nautilus
- Pull request ID set to 29071
Updated by Nathan Cutler over 4 years ago
- Copied to Backport #43243: nautilus: "SELinux denials found" in ceph-deploy added
Updated by Nathan Cutler over 4 years ago
- Copied to Backport #43244: mimic: "SELinux denials found" in ceph-deploy added
Updated by Brad Hubbard about 4 years ago
With this patch I still see the following selinux denial which appears to be an access to /proc and a separate issue.
avc: denied { getattr } for pid=3222 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1
and
avc: denied { setsched } for pid=14582 comm="fn_anonymous" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
Updated by Brad Hubbard about 4 years ago
- Related to Bug #40743: "SELinux denials found" in ceph-deploy/nautilus added
Updated by Brad Hubbard about 4 years ago
Looks like the setsched issue might be new. Let me know if we need a new tracker for that one.
Updated by Brad Hubbard about 4 years ago
Created a new tracker for the setsched denial, https://tracker.ceph.com/issues/44196
Updated by Brad Hubbard about 4 years ago
SELinux is preventing /usr/bin/ceph-mon from getattr access on the file /proc/kcore.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that ceph-mon should be allowed getattr access on the kcore file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ms_dispatch' --raw | audit2allow -M my-msdispatch
# semodule -i my-msdispatch.pp
Additional Information:
Source Context system_u:system_r:ceph_t:s0
Target Context system_u:object_r:proc_kcore_t:s0
Target Objects /proc/kcore [ file ]
Source ms_dispatch
Source Path /usr/bin/ceph-mon
Port <Unknown>
Host <Unknown>
Source RPM Packages ceph-mon-14.2.7-763.g97ce2bd.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-252.el7_7.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name mira030
Platform Linux mira030 3.10.0-1062.12.1.el7.x86_64 #1 SMP
Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64
Alert Count 2
First Seen 2020-02-25 02:03:31 UTC
Last Seen 2020-02-25 02:31:29 UTC
Local ID 7b45da16-f331-412b-aa28-0dfc19d4b90d
Raw Audit Messages
type=AVC msg=audit(1582597889.957:6365): avc: denied { getattr } for pid=57228 comm="ms_dispatch" path="/proc/kcore" dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=fil$
permissive=1
type=SYSCALL msg=audit(1582597889.957:6365): arch=x86_64 syscall=newfstatat success=yes exit=0 a0=26 a1=562e172b80eb a2=7fe6f5fe5880 a3=0 items=0 ppid=1 pid=57228 auid=4294967295 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=167 sgid$
167 fsgid=167 tty=(none) ses=4294967295 comm=ms_dispatch exe=/usr/bin/ceph-mon subj=system_u:system_r:ceph_t:s0 key=(null)
Hash: ms_dispatch,ceph_t,proc_kcore_t,file,getattr
# ausearch -i -c ms_dispatch|tail -3
type=PROCTITLE msg=audit(25/02/20 02:31:29.957:6365) : proctitle=/usr/bin/ceph-mon -f --cluster ceph --id mira030 --setuser ceph --setgroup ceph
type=SYSCALL msg=audit(25/02/20 02:31:29.957:6365) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x26 a1=0x562e172b80eb a2=0x7fe6f5fe5880 a3=0x0 items=0 ppid=1 pid=57228 auid=unset uid=ceph gid=ceph euid=ceph suid=ceph fsuid=ceph egid=ceph sgid=ceph fsgid=ceph tty=(none) ses=unset comm=ms_dispatch exe=/usr/bin/ceph-mon subj=system_u:system_r:ceph_t:s0 key=(null)
type=AVC msg=audit(25/02/20 02:31:29.957:6365) : avc: denied { getattr } for pid=57228 comm=ms_dispatch path=/proc/kcore dev="proc" ino=4026532068 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1
Looking for that timestamp in the mon log.
# grep 02:31:29.95 /var/log/ceph/ceph-mon.mira030.log 2020-02-25 02:31:29.954 7fe6f5fec700 0 log_channel(cluster) log [INF] : mon.mira030 calling monitor election 2020-02-25 02:31:29.954 7fe6f5fec700 1 mon.mira030@0(electing).elector(4) init, last seen epoch 4 2020-02-25 02:31:29.958 7fe6f5fec700 -1 mon.mira030@0(electing) e1 failed to get devid for : udev_device_new_from_subsystem_sysname failed on ''
(gdb) t
[Current thread is 37 (Thread 0x7fffe0091700 (LWP 60388))]
(gdb) info thread 37
Id Target Id Frame
* 37 Thread 0x7fffe0091700 (LWP 60388) "ms_dispatch" __GI___fxstat (vers=vers@entry=1, fd=41, buf=buf@entry=0x7fffe008a910) at ../sysdeps/unix/sysv/linux/wordsize-64/fxstat.c:40
(gdb) bt
#0 __GI___fxstat (vers=vers@entry=1, fd=41, buf=buf@entry=0x7fffe008a910) at ../sysdeps/unix/sysv/linux/wordsize-64/fxstat.c:40
#1 0x00007fffef353db3 in fstat (__statbuf=0x7fffe008a910, __fd=<optimized out>) at /usr/include/sys/stat.h:470
#2 BlkDev::get_devid (this=<optimized out>, id=0x7fffe008b9d0) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/blkdev.cc:94
#3 0x00007fffef354336 in BlkDev::partition (this=this@entry=0x7fffe008ba00, partition=partition@entry=0x7fffe008ca60 "\320\066\366UUU", max=max@entry=4096) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/blkdev.cc:269
#4 0x00007fffef3543e4 in get_device_by_path(char const*, char*, char*, unsigned long) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/blkdev.cc:52
#5 0x00005555557e953c in MonitorDBStore::get_devname (this=<optimized out>) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/MonitorDBStore.h:55
#6 0x00005555557a2e1d in Monitor::collect_metadata(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > >*) ()
at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Monitor.cc:2287
#7 0x000055555584272f in Elector::start() () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Elector.cc:100
#8 0x00005555557b26b8 in call_election (this=0x5555575f8d28) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Elector.h:388
#9 Monitor::start_election() () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Monitor.cc:2097
#10 0x00005555557b6bd8 in Monitor::handle_probe_reply(boost::intrusive_ptr<MonOpRequest>) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Monitor.cc:2066
#11 0x00005555557b889f in Monitor::handle_probe(boost::intrusive_ptr<MonOpRequest>) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/TrackedOp.h:388
#12 0x00005555557ce379 in Monitor::dispatch_op(boost::intrusive_ptr<MonOpRequest>) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/TrackedOp.h:388
#13 0x00005555557cf37f in Monitor::_ms_dispatch(Message*) () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/common/TrackedOp.h:388
#14 0x00005555557fc356 in Monitor::ms_dispatch (this=0x5555575f8000, m=0x555557826780) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/mon/Monitor.h:888
#15 0x00005555557f8946 in Dispatcher::ms_dispatch2 (this=0x5555575f8000, m=...) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/msg/Dispatcher.h:126
#16 0x00007fffef472b39 in ms_deliver_dispatch (m=..., this=0x55555680a900) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/msg/DispatchQueue.cc:198
#17 DispatchQueue::entry() () at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/msg/DispatchQueue.cc:197
#18 0x00007fffef51fcdd in DispatchQueue::DispatchThread::entry (this=<optimized out>) at /usr/src/debug/ceph-14.2.7-763-g97ce2bd/src/msg/DispatchQueue.h:102
#19 0x00007fffec04edd5 in start_thread (arg=0x7fffe0091700) at pthread_create.c:307
#20 0x00007fffeaf1502d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
That means we are here.
84 init(); <--------- NOTE, just called init() which produces "init, last seen epoch 4" log output
85
86 // start by trying to elect me
87 if (epoch % 2 == 0) {
88 bump_epoch(epoch+1); // odd == election cycle
89 } else {
90 // do a trivial db write just to ensure it is writeable.
(gdb)
91 auto t(std::make_shared<MonitorDBStore::Transaction>());
92 t->put(Monitor::MONITOR_NAME, "election_writeable_test", rand());
93 int r = mon->store->apply_transaction(t);
94 ceph_assert(r >= 0);
95 }
96 electing_me = true;
97 acked_me[mon->rank].cluster_features = CEPH_FEATURES_ALL;
98 acked_me[mon->rank].mon_release = ceph_release();
99 acked_me[mon->rank].mon_features = ceph::features::mon::get_supported();
100 mon->collect_metadata(&acked_me[mon->rank].metadata); <-------------------- HERE
89 int BlkDev::get_devid(dev_t *id) const
90 {
91 struct stat st;
92 int r;
93 if (fd >= 0) {
94 r = fstat(fd, &st);
95 } else {
96 char path[PATH_MAX];
97 snprintf(path, sizeof(path), "/dev/%s", devname.c_str());
98 r = stat(path, &st);
99 }
100 if (r < 0) {
101 return -errno;
102 }
103 *id = S_ISBLK(st.st_mode) ? st.st_rdev : st.st_dev;
104 return 0;
105 }
Updated by Nathan Cutler about 4 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".
Actions