Project

General

Profile

Bug #45022

SElinux denials observed on teuthology multisite run

Added by Kaleb KEITHLEY over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Target version:
% Done:

0%

Source:
Q/A
Tags:
Backport:
nautilus octopus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
teuthology
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Description of problem:
ceph version 12.2.12-101.el7cp (20a4945f2321019ed50c1844b413059c07304074) luminous

On a teuthology multisite run, we see failures with multiple selinux denials.

2020-04-06T05:26:47.732 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164501.591:3252): avc: denied { name_connect } for pid=25545 comm="radosgw" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.733 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164773.692:139): avc: denied { name_connect } for pid=2051 comm="meta-sync" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.733 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164773.692:140): avc: denied { name_connect } for pid=2051 comm="data-sync" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.734 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164773.867:141): avc: denied { name_connect } for pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.734 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164774.990:170): avc: denied { name_connect } for pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.734 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164776.945:200): avc: denied { name_connect } for pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.735 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164799.351:225): avc: denied { name_connect } for pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.735 INFO:teuthology.orchestra.run.pluto009.stdout:type=AVC msg=audit(1586164874.154:295): avc: denied { name_connect } for pid=2051 comm="http_manager" dest=8080 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
2020-04-06T05:26:47.735 DEBUG:teuthology.task.selinux: has 8 denials

selinux is set to permissive mode in this run.
Logs attached.


Related issues

Copied to rgw - Backport #45073: nautilus: SElinux denials observed on teuthology multisite run Resolved
Copied to rgw - Backport #45074: octopus: SElinux denials observed on teuthology multisite run Resolved

History

#2 Updated by Casey Bodley over 1 year ago

  • Status changed from Resolved to Pending Backport
  • Backport set to nautilus octopus

#3 Updated by Nathan Cutler over 1 year ago

  • Copied to Backport #45073: nautilus: SElinux denials observed on teuthology multisite run added

#4 Updated by Nathan Cutler over 1 year ago

  • Copied to Backport #45074: octopus: SElinux denials observed on teuthology multisite run added

#5 Updated by Nathan Cutler over 1 year ago

  • Status changed from Pending Backport to Resolved

While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".

Also available in: Atom PDF