Bug #50151
closedSElinux denials observed on teuthology rados/upgrade run
0%
Description
rados/upgrade/pacific-x/parallel/{0-start 1-tasks distro1$/{rhel_8.3_kubic_stable} mon_election/connectivity upgrade-sequence workload/{ec-rados-default rados_api rados_loadgenbig rbd_import_export test_rbd_api test_rbd_python}}
['type=AVC msg=audit(1617683500.395:7759): avc: denied { write } for pid=73926 comm="rstore_compact" name="store.db" dev="dm-4" ino=16797828 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1 srawcon="system_u:system_r:spc_t:s0"',
'type=AVC msg=audit(1617683493.127:7705): avc: denied { search } for pid=88092 comm="node_exporter" name="containers" dev="sda1" ino=1452 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 srawcon="system_u:system_r:spc_t:s0" trawcon="system_u:object_r:container_var_lib_t:s0"',
'type=AVC msg=audit(1617683533.125:7895): avc: denied { read } for pid=88092 comm="node_exporter" name="mdstat" dev="proc" ino=4026532018 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file permissive=1 srawcon="system_u:system_r:spc_t:s0"',
/a/kchai-2021-04-06_02:58:54-rados-wip-kefu-testing-2021-04-05-1650-distro-basic-smithi/6023265/
Files
Updated by Kefu Chai about 3 years ago
/a/kchai-2021-04-11_12:36:03-rados-wip-kefu-testing-2021-04-11-1826-distro-basic-smithi/6035897/
Updated by Kefu Chai almost 3 years ago
/a/kchai-2021-05-16_04:30:13-rados-wip-kefu-testing-2021-05-16-1043-distro-basic-smithi/6116774/
shall we run restorecon on the mount point in cephadm, like we did in https://github.com/ceph/ceph-qa-suite/pull/1309?
Updated by Neha Ojha almost 3 years ago
- Priority changed from Normal to Urgent
/a/yuriw-2021-07-12_16:33:44-rados-wip-yuriw-master-7.8.21-distro-basic-smithi/6265225
/a/sage-2021-07-12_18:10:23-rados-wip-sage4-testing-2021-07-12-1236-distro-basic-smithi/6266297
Updated by Sage Weil almost 3 years ago
- Status changed from New to Fix Under Review
- Assignee set to Sage Weil
- Pull request ID set to 42343
Updated by Sage Weil almost 3 years ago
The problem is that the podman upgrade, which (re)installed container-selinux-policy, is at the end of the task list, not the beginning, and everything is running while the selinux policy is getting changed around.
Updated by Sage Weil almost 3 years ago
- Status changed from Fix Under Review to Resolved