Project

General

Profile

Bug #43703

selinux vs logrotate

Added by Sage Weil about 1 month ago. Updated 14 days ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
cephadm
Target version:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

SELinux denials found on ubuntu@smithi083.front.sepia.ceph.com: ['type=AVC msg=audit(1579471681.869:7055): avc: denied { getattr } for pid=116238 comm="logrotate" path="/var/log/ceph/f6fde62a-3b05-11ea-99db-001a4aab830c/ceph-mgr.y.log" dev="sda1" ino=395962 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1579471681.868:7054): avc: denied { read } for pid=116238 comm="logrotate" name="f6fde62a-3b05-11ea-99db-001a4aab830c" dev="sda1" ino=394431 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1']

see bz https://bugzilla.redhat.com/show_bug.cgi?id=1775303

History

#1 Updated by Sage Weil about 1 month ago

a recent failure on centos 7.6:

SELinux denials found on ubuntu@smithi191.front.sepia.ceph.com: ['type=AVC msg=audit(1579460881.584:6162): avc: denied { getattr } for pid=14668 comm="logrotate" path="/var/log/ceph/fd3fbc6a-3aed-11ea-99db-001a4aab830c/ceph-mgr.x.log" dev="sda1" ino=527088 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1579460881.584:6161): avc: denied { read } for pid=14668 comm="logrotate" name="fd3fbc6a-3aed-11ea-99db-001a4aab830c" dev="sda1" ino=527012 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1']

/a/sage-2020-01-19_17:40:48-rados-wip-sage-testing-2020-01-18-2112-distro-basic-smithi/4683986

a recent failure on rhel 8.0:

SELinux denials found on ubuntu@smithi069.front.sepia.ceph.com: ['type=AVC msg=audit(1579461001.478:7064): avc: denied { getattr } for pid=115848 comm="logrotate" path="/var/log/ceph/ea8f2dbc-3aed-11ea-99db-001a4aab830c/ceph-mgr.y.log" dev="sda1" ino=395957 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1579461001.477:7063): avc: denied { read } for pid=115848 comm="logrotate" name="ea8f2dbc-3aed-11ea-99db-001a4aab830c" dev="sda1" ino=394422 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1579461001.525:7067): avc: denied { getattr } for pid=115848 comm="logrotate" path="/var/log/ceph/ea8f2dbc-3aed-11ea-99db-001a4aab830c/ceph-mgr.y.log" dev="sda1" ino=395957 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1']

/a/sage-2020-01-19_17:40:48-rados-wip-sage-testing-2020-01-18-2112-distro-basic-smithi/4683994

#2 Updated by Sage Weil 30 days ago

should be fixed in 2.122.0 of container-selinux. rhel 8.1 has 2.124, and i confirmed this is fixed there.

this bug will hopefully go away in qa once we switch to centos 8.1.

7.x is not updated yet.

#3 Updated by Sage Weil 29 days ago

  • Status changed from New to In Progress

#4 Updated by Sage Weil 29 days ago

  • Assignee set to Sage Weil

#5 Updated by Sage Weil 27 days ago

  • Target version set to v15.0.0

#6 Updated by Sebastian Wagner 27 days ago

  • Category set to cephadm

#7 Updated by Sage Weil 14 days ago

  • Status changed from In Progress to Resolved
  • Pull request ID set to 33110

I'm calling this one "fixed", even though for el 8.0 and 8.1 (pre-z-stream) the error is still there.

https://github.com/ceph/ceph/pull/33110

Also available in: Atom PDF