Bug #45022
SElinux denials observed on teuthology multisite run
0%
Description
Description of problem:
ceph version 12.2.12-101.el7cp (20a4945f2321019ed50c1844b413059c07304074) luminous
On a teuthology multisite run, we see failures with multiple selinux denials.
2020-04-06T05:26:47.732 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164501.591:3252): avc: denied { name_connect } for pid=25545 comm="radosgw" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.733 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164773.692:139): avc: denied { name_connect } for pid=2051 comm="meta-sync" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.733 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164773.692:140): avc: denied { name_connect } for pid=2051 comm="data-sync" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.734 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164773.867:141): avc: denied { name_connect } for pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.734 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164774.990:170): avc: denied { name_connect } for pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.734 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164776.945:200): avc: denied { name_connect } for pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.735 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164799.351:225): avc: denied { name_connect } for pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.735 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164874.154:295): avc: denied { name_connect } for pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.735 DEBUG:teuthology.task.selinux:ubuntu@pluto009.ceph.redhat.com has 8 denials
selinux is set to permissive mode in this run.
Logs attached.
Related issues
History
#1 Updated by Kefu Chai over 3 years ago
- Status changed from New to Resolved
#2 Updated by Casey Bodley over 3 years ago
- Status changed from Resolved to Pending Backport
- Backport set to nautilus octopus
#3 Updated by Nathan Cutler over 3 years ago
- Copied to Backport #45073: nautilus: SElinux denials observed on teuthology multisite run added
#4 Updated by Nathan Cutler over 3 years ago
- Copied to Backport #45074: octopus: SElinux denials observed on teuthology multisite run added
#5 Updated by Nathan Cutler over 3 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".