Actions
Bug #46723
closedceph-iscsi: selinux avc denial on rbd-target-api from ioctl access
Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
% Done:
0%
Source:
Tags:
Backport:
nautilus,octopus
Regression:
No
Severity:
3 - minor
Reviewed:
Description
SELinux is preventing rbd-target-api from ioctl access on the file /sys/kernel/config/target/dbroot. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rbd-target-api should be allowed ioctl access on the dbroot file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rbd-target-api' --raw | audit2allow -M my-rbdtargetapi # semodule -X 300 -i my-rbdtargetapi.pp Additional Information: Source Context system_u:system_r:ceph_t:s0 Target Context system_u:object_r:configfs_t:s0 Target Objects /sys/kernel/config/target/dbroot [ file ] Source rbd-target-api Source Path rbd-target-api Port <Unknown> Host magna030 Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name magna030 Platform Linux magna030 4.18.0-147.0.3.el8_1.x86_64 #1 SMP Mon Nov 11 12:58:36 UTC 2019 x86_64 x86_64 Alert Count 79 First Seen 2019-12-19 08:35:27 UTC Last Seen 2019-12-23 11:54:06 UTC Local ID 6e04e34a-b177-4fb1-93c5-f5d8aa650bc5 Raw Audit Messages type=AVC msg=audit(1577102046.885:1289418): avc: denied { ioctl } for pid=2648788 comm="rbd-target-gw" path="/sys/kernel/config/target/dbroot" dev="configfs" ino=102482323 ioctlcmd=0x5401 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1577102046.885:1289418): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=7 a1=5401 a2=7fc1db66c970 a3=a41beeae308445fa items=0 ppid=1 pid=2648788 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rbd-target-gw exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:ceph_t:s0 key=(null) Hash: rbd-target-api,ceph_t,configfs_t,file,ioctl
Updated by Jason Dillaman over 3 years ago
- Copied to Backport #46724: octopus: ceph-iscsi: selinux avc denial on rbd-target-api from ioctl access added
Updated by Jason Dillaman over 3 years ago
- Copied to Backport #46725: nautilus: ceph-iscsi: selinux avc denial on rbd-target-api from ioctl access added
Updated by Nathan Cutler over 3 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".
Actions