Actions
Bug #44196
closedselinux setsched denials for 'fn_anonymous'
Status:
Resolved
Priority:
High
Assignee:
-
Category:
common
Target version:
-
% Done:
0%
Source:
Development
Tags:
Backport:
nautilus
Regression:
No
Severity:
2 - major
Reviewed:
Description
type=AVC msg=audit(1582069840.087:6495): avc: denied { setsched } for pid=27310 comm="fn_anonymous" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
I can reproduce this with the code at https://bytefreaks.net/programming-2/c/cc-set-affinity-to-process-thread-example-code
# gcc -Wall /home/ubuntu/affinity.c -o /tmp/affinity # chcon -t ceph_exec_t -u system_u /tmp/affinity # runcon system_u:system_r:ceph_t:s0 /tmp/affinity Successfully set thread 75076 to affinity to CPU 3 # grep -P "setsched" /var/log/audit/audit.log|tail -1 type=AVC msg=audit(1582081291.505:7290): avc: denied { setsched } for pid=75076 comm="affinity" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
This seems to be happening in the NUMA code according to timestamps from the logs so would almost certainly be this code.
$ ag sched_setaffinity src/common/numa.cc 158: int r = sched_setaffinity(getpid(), cpu_set_size, cpu_set); 178: r = sched_setaffinity(tid, cpu_set_size, cpu_set);
Updated by Brad Hubbard about 4 years ago
SELinux is preventing /usr/bin/ceph-osd from using the setsched access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ceph-osd should be allowed setsched access on processes labeled ceph_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'fn_anonymous' --raw | audit2allow -M my-fnanonymous # semodule -X 300 -i my-fnanonymous.pp Additional Information: Source Context system_u:system_r:ceph_t:s0 Target Context system_u:system_r:ceph_t:s0 Target Objects Unknown [ process ] Source fn_anonymous Source Path /usr/bin/ceph-osd Port <Unknown> Host smithi145 Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-20.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name smithi145 Platform Linux smithi145 4.18.0-147.el8.x86_64 #1 SMP Wed Dec 4 21:51:45 UTC 2019 x86_64 x86_64 Alert Count 9 First Seen 2020-02-18 23:50:40 UTC Last Seen 2020-02-19 03:01:31 UTC Local ID a88ad0c5-7249-481a-b07d-359ebaf484ef Raw Audit Messages type=AVC msg=audit(1582081291.505:7290): avc: denied { setsched } for pid=75076 comm="affinity" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1582081291.505:7290): arch=x86_64 syscall=sched_setaffinity success=yes exit=0 a0=12544 a1=80 a2=7ffdc1a12540 a3=0 items=0 ppid=36563 pid=75076 auid=1000 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=167 sgid=167 fsgid=167 tty=pts0 ses=6 comm=affinity exe=/tmp/affinity subj=system_u:system_r:ceph_t:s0 key=(null) Hash: fn_anonymous,ceph_t,ceph_t,process,setsched
Updated by Brad Hubbard about 4 years ago
- Status changed from New to In Progress
- Pull request ID set to 33404
Updated by Sage Weil about 4 years ago
- Status changed from In Progress to Pending Backport
Updated by Brad Hubbard about 4 years ago
- Related to Bug #40743: "SELinux denials found" in ceph-deploy/nautilus added
Updated by Nathan Cutler about 4 years ago
- Copied to Backport #44260: nautilus: selinux setsched denials for 'fn_anonymous' added
Updated by Brad Hubbard about 4 years ago
- Status changed from Pending Backport to Resolved
Actions