Bug #44196
closed
selinux setsched denials for 'fn_anonymous'
Added by Brad Hubbard about 4 years ago.
Updated about 4 years ago.
Description
type=AVC msg=audit(1582069840.087:6495): avc: denied { setsched } for pid=27310 comm="fn_anonymous" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
I can reproduce this with the code at https://bytefreaks.net/programming-2/c/cc-set-affinity-to-process-thread-example-code
# gcc -Wall /home/ubuntu/affinity.c -o /tmp/affinity
# chcon -t ceph_exec_t -u system_u /tmp/affinity
# runcon system_u:system_r:ceph_t:s0 /tmp/affinity
Successfully set thread 75076 to affinity to CPU 3
# grep -P "setsched" /var/log/audit/audit.log|tail -1
type=AVC msg=audit(1582081291.505:7290): avc: denied { setsched } for pid=75076 comm="affinity" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
This seems to be happening in the NUMA code according to timestamps from the logs so would almost certainly be this code.
$ ag sched_setaffinity src/common/numa.cc
158: int r = sched_setaffinity(getpid(), cpu_set_size, cpu_set);
178: r = sched_setaffinity(tid, cpu_set_size, cpu_set);
SELinux is preventing /usr/bin/ceph-osd from using the setsched access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that ceph-osd should be allowed setsched access on processes labeled ceph_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fn_anonymous' --raw | audit2allow -M my-fnanonymous
# semodule -X 300 -i my-fnanonymous.pp
Additional Information:
Source Context system_u:system_r:ceph_t:s0
Target Context system_u:system_r:ceph_t:s0
Target Objects Unknown [ process ]
Source fn_anonymous
Source Path /usr/bin/ceph-osd
Port <Unknown>
Host smithi145
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name smithi145
Platform Linux smithi145 4.18.0-147.el8.x86_64 #1 SMP Wed
Dec 4 21:51:45 UTC 2019 x86_64 x86_64
Alert Count 9
First Seen 2020-02-18 23:50:40 UTC
Last Seen 2020-02-19 03:01:31 UTC
Local ID a88ad0c5-7249-481a-b07d-359ebaf484ef
Raw Audit Messages
type=AVC msg=audit(1582081291.505:7290): avc: denied { setsched } for pid=75076 comm="affinity" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1582081291.505:7290): arch=x86_64 syscall=sched_setaffinity success=yes exit=0 a0=12544 a1=80 a2=7ffdc1a12540 a3=0 items=0 ppid=36563 pid=75076 auid=1000 uid=167 gid=167 euid=167 suid=167 fsuid=167 egid=167 sgid=167 fsgid=167 tty=pts0 ses=6 comm=affinity exe=/tmp/affinity subj=system_u:system_r:ceph_t:s0 key=(null)
Hash: fn_anonymous,ceph_t,ceph_t,process,setsched
- Status changed from New to In Progress
- Pull request ID set to 33404
- Status changed from In Progress to Pending Backport
- Related to Bug #40743: "SELinux denials found" in ceph-deploy/nautilus added
- Copied to Backport #44260: nautilus: selinux setsched denials for 'fn_anonymous' added
- Status changed from Pending Backport to Resolved
Also available in: Atom
PDF