Project

General

Profile

Actions
Copy link

Bug #46723

closed

ceph-iscsi: selinux avc denial on rbd-target-api from ioctl access

Added by Jason Dillaman over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
nautilus,octopus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
34694
Crash signature (v1):
Crash signature (v2):

Description

SELinux is preventing rbd-target-api from ioctl access on the file /sys/kernel/config/target/dbroot.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rbd-target-api should be allowed ioctl access on the dbroot file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rbd-target-api' --raw | audit2allow -M my-rbdtargetapi
# semodule -X 300 -i my-rbdtargetapi.pp

Additional Information:
Source Context                system_u:system_r:ceph_t:s0
Target Context                system_u:object_r:configfs_t:s0
Target Objects                /sys/kernel/config/target/dbroot [ file ]
Source                        rbd-target-api
Source Path                   rbd-target-api
Port                          <Unknown>
Host                          magna030
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     magna030
Platform                      Linux magna030 4.18.0-147.0.3.el8_1.x86_64 #1 SMP
                              Mon Nov 11 12:58:36 UTC 2019 x86_64 x86_64
Alert Count                   79
First Seen                    2019-12-19 08:35:27 UTC
Last Seen                     2019-12-23 11:54:06 UTC
Local ID                      6e04e34a-b177-4fb1-93c5-f5d8aa650bc5

Raw Audit Messages
type=AVC msg=audit(1577102046.885:1289418): avc:  denied  { ioctl } for  pid=2648788 comm="rbd-target-gw" path="/sys/kernel/config/target/dbroot" dev="configfs" ino=102482323 ioctlcmd=0x5401 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=1

type=SYSCALL msg=audit(1577102046.885:1289418): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=7 a1=5401 a2=7fc1db66c970 a3=a41beeae308445fa items=0 ppid=1 pid=2648788 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rbd-target-gw exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:ceph_t:s0 key=(null)

Hash: rbd-target-api,ceph_t,configfs_t,file,ioctl

Related issues 2 (0 open2 closed)

Copied to rbd - Backport #46724: octopus: ceph-iscsi: selinux avc denial on rbd-target-api from ioctl accessResolvedJason DillamanActions
Copied to rbd - Backport #46725: nautilus: ceph-iscsi: selinux avc denial on rbd-target-api from ioctl accessResolvedJason DillamanActions
Actions
Copy link
 #1

Updated by Jason Dillaman over 3 years ago

  • Copied to Backport #46724: octopus: ceph-iscsi: selinux avc denial on rbd-target-api from ioctl access added
Actions
Copy link
 #2

Updated by Jason Dillaman over 3 years ago

  • Copied to Backport #46725: nautilus: ceph-iscsi: selinux avc denial on rbd-target-api from ioctl access added
Actions
Copy link
 #3

Updated by Nathan Cutler over 3 years ago

  • Status changed from Pending Backport to Resolved

While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".

Actions
Copy link

Also available in: Atom PDF