Project

General

Profile

Actions
Copy link

Bug #50151

closed

SElinux denials observed on teuthology rados/upgrade run

Added by Kefu Chai about 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Sage Weil
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
42343
Crash signature (v1):
Crash signature (v2):

Description

rados/upgrade/pacific-x/parallel/{0-start 1-tasks distro1$/{rhel_8.3_kubic_stable} mon_election/connectivity upgrade-sequence workload/{ec-rados-default rados_api rados_loadgenbig rbd_import_export test_rbd_api test_rbd_python}}

['type=AVC msg=audit(1617683500.395:7759): avc: denied { write } for pid=73926 comm="rstore_compact" name="store.db" dev="dm-4" ino=16797828 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1 srawcon="system_u:system_r:spc_t:s0"',
 'type=AVC msg=audit(1617683493.127:7705): avc: denied { search } for pid=88092 comm="node_exporter" name="containers" dev="sda1" ino=1452 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 srawcon="system_u:system_r:spc_t:s0" trawcon="system_u:object_r:container_var_lib_t:s0"',
 'type=AVC msg=audit(1617683533.125:7895): avc: denied { read } for pid=88092 comm="node_exporter" name="mdstat" dev="proc" ino=4026532018 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file permissive=1 srawcon="system_u:system_r:spc_t:s0"',

/a/kchai-2021-04-06_02:58:54-rados-wip-kefu-testing-2021-04-05-1650-distro-basic-smithi/6023265/

Files

denials.txt (114 KB) denials.txt Kefu Chai, 04/06/2021 05:35 AM
Actions
Copy link
 #1

Updated by Kefu Chai about 3 years ago

/a/kchai-2021-04-11_12:36:03-rados-wip-kefu-testing-2021-04-11-1826-distro-basic-smithi/6035897/

Actions
Copy link
 #2

Updated by Kefu Chai almost 3 years ago

/a/kchai-2021-05-16_04:30:13-rados-wip-kefu-testing-2021-05-16-1043-distro-basic-smithi/6116774/

shall we run restorecon on the mount point in cephadm, like we did in https://github.com/ceph/ceph-qa-suite/pull/1309?

Actions
Copy link
 #3

Updated by Neha Ojha almost 3 years ago

  • Priority changed from Normal to Urgent

/a/yuriw-2021-07-12_16:33:44-rados-wip-yuriw-master-7.8.21-distro-basic-smithi/6265225
/a/sage-2021-07-12_18:10:23-rados-wip-sage4-testing-2021-07-12-1236-distro-basic-smithi/6266297

Actions
Copy link
 #4

Updated by Sage Weil almost 3 years ago

  • Status changed from New to Fix Under Review
  • Assignee set to Sage Weil
  • Pull request ID set to 42343
Actions
Copy link
 #5

Updated by Sage Weil almost 3 years ago

The problem is that the podman upgrade, which (re)installed container-selinux-policy, is at the end of the task list, not the beginning, and everything is running while the selinux policy is getting changed around.

Actions
Copy link
 #6

Updated by Sage Weil almost 3 years ago

  • Status changed from Fix Under Review to Resolved
Actions
Copy link

Also available in: Atom PDF