Project

General

Profile

Bug #43396

selinux denial on el8

Added by Sage Weil 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Urgent
Category:
-
Target version:
% Done:

0%

Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

SELinux denials found on : ['type=AVC msg=audit(1576786614.808:3780): avc: denied { open } for pid=15987 comm="setroubleshootd" path="/var/lib/rpm/Packages" dev="sda1" ino=61046 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.808:3782): avc: denied { map } for pid=15987 comm="setroubleshootd" path="/var/lib/rpm/Name" dev="sda1" ino=61070 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.268:3768): avc: denied { getattr } for pid=15724 comm="rhsmcertd-worke" path="/var/lib/rpm/Packages" dev="sda1" ino=61046 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.581:3778): avc: denied { unlink } for pid=15724 comm="rhsmcertd-worke" name="metadata_lock.pid" dev="sda1" ino=57312 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.268:3766): avc: denied { read write } for pid=15724 comm="rhsmcertd-worke" name=".dbenv.lock" dev="sda1" ino=61154 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.337:3775): avc: denied { open } for pid=15724 comm="rhsmcertd-worke" path="/var/cache/dnf/metadata_lock.pid" dev="sda1" ino=57312 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.662:3779): avc: denied { read } for pid=15724 comm="rhsmcertd-worke" name="satellite-5-client.module" dev="sda1" ino=57237 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.337:3775): avc: denied { add_name } for pid=15724 comm="rhsmcertd-worke" name="metadata_lock.pid" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1576786614.439:3776): avc: denied { open } for pid=15724 comm="rhsmcertd-worke" path="/var/cache/dnf/epel-fafd94c310c51e1e/metalink.xml" dev="sda1" ino=262189 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.808:3780): avc: denied { read } for pid=15987 comm="setroubleshootd" name="Packages" dev="sda1" ino=61046 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.337:3775): avc: denied { create } for pid=15724 comm="rhsmcertd-worke" name="metadata_lock.pid" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.808:3781): avc: denied { lock } for pid=15987 comm="setroubleshootd" path="/var/lib/rpm/Packages" dev="sda1" ino=61046 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.268:3767): avc: denied { lock } for pid=15724 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="sda1" ino=61154 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.337:3774): avc: denied { open } for pid=15724 comm="rhsmcertd-worke" path="/var/log/hawkey.log" dev="sda1" ino=60817 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.268:3766): avc: denied { open } for pid=15724 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="sda1" ino=61154 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.662:3779): avc: denied { open } for pid=15724 comm="rhsmcertd-worke" path="/etc/dnf/modules.d/satellite-5-client.module" dev="sda1" ino=57237 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.333:3773): avc: denied { map } for pid=15724 comm="rhsmcertd-worke" path="/var/lib/rpm/Name" dev="sda1" ino=61070 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1576786614.337:3775): avc: denied { write } for pid=15724 comm="rhsmcertd-worke" name="dnf" dev="sda1" ino=60792 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1576786614.581:3778): avc: denied { remove_name } for pid=15724 comm="rhsmcertd-worke" name="metadata_lock.pid" dev="sda1" ino=57312 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1576786614.464:3777): avc: denied { setattr } for pid=15724 comm="rhsmcertd-worke" name="6e2fe611f78ac434c2918bac1eec468dbd24c9b4cdb65bf6a744d10f764f3284-primary.xml.gz" dev="sda1" ino=262155 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1']

/a/sage-2019-12-19_19:10:50-rados-master-distro-basic-smithi/4615422

History

#1 Updated by Patrick Donnelly about 2 months ago

  • Status changed from New to In Progress
  • Assignee set to Patrick Donnelly
  • Target version set to v15.0.0
  • Source set to Q/A
2020-01-03T23:04:56.964 DEBUG:teuthology.run_tasks:Unwinding manager selinux
2020-01-03T23:04:57.106 INFO:teuthology.orchestra.run.smithi091:> mkdir /home/ubuntu/cephtest/archive/audit && sudo cp /var/log/audit/audit.log /home/ubuntu/cephtest/archive/audit && sudo chown $USER /home/ubuntu/cephtest/archive/audit/audit.log && gzip /home/ubuntu/cephtest/archive/audit/audit.log
2020-01-03T23:04:57.175 INFO:teuthology.orchestra.run.smithi168:> mkdir /home/ubuntu/cephtest/archive/audit && sudo cp /var/log/audit/audit.log /home/ubuntu/cephtest/archive/audit && sudo chown $USER /home/ubuntu/cephtest/archive/audit/audit.log && gzip /home/ubuntu/cephtest/archive/audit/audit.log
2020-01-03T23:04:57.242 INFO:teuthology.orchestra.run.smithi168:> sudo grep 'avc: .*denied' /var/log/audit/audit.log | grep -v '\(comm="dmidecode"\|chronyd.service\|name="cephtest"\|scontext=system_u:system_r:nrpe_t:s0\|scontext=system_u:system_r:pcp_pmlogger_t\|scontext=system_u:system_r:pcp_pmcd_t:s0\|comm="rhsmd"\|scontext=system_u:system_r:syslogd_t:s0\|tcontext=system_u:system_r:nrpe_t:s0\|comm="updatedb"\|comm="smartd"\)'
2020-01-03T23:04:57.273 DEBUG:teuthology.orchestra.run:got remote process result: 1
2020-01-03T23:04:57.274 INFO:teuthology.orchestra.run.smithi091:> sudo grep 'avc: .*denied' /var/log/audit/audit.log | grep -v '\(comm="dmidecode"\|chronyd.service\|name="cephtest"\|scontext=system_u:system_r:nrpe_t:s0\|scontext=system_u:system_r:pcp_pmlogger_t\|scontext=system_u:system_r:pcp_pmcd_t:s0\|comm="rhsmd"\|scontext=system_u:system_r:syslogd_t:s0\|tcontext=system_u:system_r:nrpe_t:s0\|comm="updatedb"\|comm="smartd"\)'
2020-01-03T23:04:57.304 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.153:5216): avc:  denied  { read write } for  pid=22266 comm="rhsmcertd-worke" name=".dbenv.lock" dev="sda1" ino=262270 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.305 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.153:5216): avc:  denied  { open } for  pid=22266 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="sda1" ino=262270 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.305 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.153:5217): avc:  denied  { lock } for  pid=22266 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="sda1" ino=262270 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.305 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.153:5218): avc:  denied  { getattr } for  pid=22266 comm="rhsmcertd-worke" path="/var/lib/rpm/__db.001" dev="sda1" ino=262271 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.305 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.153:5219): avc:  denied  { map } for  pid=22266 comm="rhsmcertd-worke" path="/var/lib/rpm/__db.001" dev="sda1" ino=262271 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.306 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.240:5220): avc:  denied  { open } for  pid=22266 comm="rhsmcertd-worke" path="/var/log/hawkey.log" dev="sda1" ino=60817 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.306 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.240:5221): avc:  denied  { write } for  pid=22266 comm="rhsmcertd-worke" name="dnf" dev="sda1" ino=60792 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1
2020-01-03T23:04:57.306 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.240:5221): avc:  denied  { add_name } for  pid=22266 comm="rhsmcertd-worke" name="metadata_lock.pid" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1
2020-01-03T23:04:57.306 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.240:5221): avc:  denied  { create } for  pid=22266 comm="rhsmcertd-worke" name="metadata_lock.pid" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.307 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.240:5221): avc:  denied  { open } for  pid=22266 comm="rhsmcertd-worke" path="/var/cache/dnf/metadata_lock.pid" dev="sda1" ino=60471 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.307 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.351:5222): avc:  denied  { open } for  pid=22266 comm="rhsmcertd-worke" path="/var/cache/dnf/ceph-15444cae4656afef/repodata/repomd.xml" dev="sda1" ino=262154 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.307 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.478:5223): avc:  denied  { remove_name } for  pid=22266 comm="rhsmcertd-worke" name="metadata_lock.pid" dev="sda1" ino=60471 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=1
2020-01-03T23:04:57.307 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.478:5223): avc:  denied  { unlink } for  pid=22266 comm="rhsmcertd-worke" name="metadata_lock.pid" dev="sda1" ino=60471 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.308 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.559:5224): avc:  denied  { read } for  pid=22266 comm="rhsmcertd-worke" name="satellite-5-client.module" dev="sda1" ino=57237 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.308 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091952.559:5224): avc:  denied  { open } for  pid=22266 comm="rhsmcertd-worke" path="/etc/dnf/modules.d/satellite-5-client.module" dev="sda1" ino=57237 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.308 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091953.215:5225): avc:  denied  { read } for  pid=22320 comm="setroubleshootd" name="Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.308 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091953.215:5225): avc:  denied  { open } for  pid=22320 comm="setroubleshootd" path="/var/lib/rpm/Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.308 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091953.215:5226): avc:  denied  { lock } for  pid=22320 comm="setroubleshootd" path="/var/lib/rpm/Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.309 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091953.215:5227): avc:  denied  { map } for  pid=22320 comm="setroubleshootd" path="/var/lib/rpm/Name" dev="sda1" ino=262251 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.309 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091957.991:5230): avc:  denied  { read } for  pid=22351 comm="rpm" name="Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.309 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091957.991:5230): avc:  denied  { open } for  pid=22351 comm="rpm" path="/var/lib/rpm/Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.309 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091957.991:5231): avc:  denied  { lock } for  pid=22351 comm="rpm" path="/var/lib/rpm/Packages" dev="sda1" ino=262250 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.310 INFO:teuthology.orchestra.run.smithi091.stdout:type=AVC msg=audit(1578091957.991:5232): avc:  denied  { map } for  pid=22351 comm="rpm" path="/var/lib/rpm/Name" dev="sda1" ino=262251 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
2020-01-03T23:04:57.310 DEBUG:teuthology.task.selinux:ubuntu@smithi091.front.sepia.ceph.com has 23 denials

From: /ceph/teuthology-archive/pdonnell-2020-01-03_20:54:58-fs-wip-pdonnell-testing-20200103.181716-distro-basic-smithi/4637211/teuthology.log

and others.

#2 Updated by Patrick Donnelly about 2 months ago

  • Project changed from RADOS to Ceph

#3 Updated by Patrick Donnelly about 2 months ago

  • Status changed from In Progress to Fix Under Review

#4 Updated by Kefu Chai about 2 months ago

  • Status changed from Fix Under Review to Resolved

Also available in: Atom PDF