Actions
Bug #43703
closedselinux vs logrotate
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Description
SELinux denials found on ubuntu@smithi083.front.sepia.ceph.com: ['type=AVC msg=audit(1579471681.869:7055): avc: denied { getattr } for pid=116238 comm="logrotate" path="/var/log/ceph/f6fde62a-3b05-11ea-99db-001a4aab830c/ceph-mgr.y.log" dev="sda1" ino=395962 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1579471681.868:7054): avc: denied { read } for pid=116238 comm="logrotate" name="f6fde62a-3b05-11ea-99db-001a4aab830c" dev="sda1" ino=394431 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1']
Updated by Sage Weil about 4 years ago
a recent failure on centos 7.6:
SELinux denials found on ubuntu@smithi191.front.sepia.ceph.com: ['type=AVC msg=audit(1579460881.584:6162): avc: denied { getattr } for pid=14668 comm="logrotate" path="/var/log/ceph/fd3fbc6a-3aed-11ea-99db-001a4aab830c/ceph-mgr.x.log" dev="sda1" ino=527088 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1579460881.584:6161): avc: denied { read } for pid=14668 comm="logrotate" name="fd3fbc6a-3aed-11ea-99db-001a4aab830c" dev="sda1" ino=527012 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1']
/a/sage-2020-01-19_17:40:48-rados-wip-sage-testing-2020-01-18-2112-distro-basic-smithi/4683986
a recent failure on rhel 8.0:
SELinux denials found on ubuntu@smithi069.front.sepia.ceph.com: ['type=AVC msg=audit(1579461001.478:7064): avc: denied { getattr } for pid=115848 comm="logrotate" path="/var/log/ceph/ea8f2dbc-3aed-11ea-99db-001a4aab830c/ceph-mgr.y.log" dev="sda1" ino=395957 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1579461001.477:7063): avc: denied { read } for pid=115848 comm="logrotate" name="ea8f2dbc-3aed-11ea-99db-001a4aab830c" dev="sda1" ino=394422 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1579461001.525:7067): avc: denied { getattr } for pid=115848 comm="logrotate" path="/var/log/ceph/ea8f2dbc-3aed-11ea-99db-001a4aab830c/ceph-mgr.y.log" dev="sda1" ino=395957 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1']
/a/sage-2020-01-19_17:40:48-rados-wip-sage-testing-2020-01-18-2112-distro-basic-smithi/4683994
Updated by Sage Weil about 4 years ago
should be fixed in 2.122.0 of container-selinux. rhel 8.1 has 2.124, and i confirmed this is fixed there.
this bug will hopefully go away in qa once we switch to centos 8.1.
7.x is not updated yet.
Updated by Sage Weil about 4 years ago
- Status changed from In Progress to Resolved
- Pull request ID set to 33110
I'm calling this one "fixed", even though for el 8.0 and 8.1 (pre-z-stream) the error is still there.
Actions