Actions
Bug #54304
closedqa/suites/orch/cephadm: SELinux denials on centos 8.stream tests
Status:
Rejected
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
in pacific:
http://pulpito.front.sepia.ceph.com/adking-2022-02-15_22:33:11-orch:cephadm-wip-adk2-testing-2022-02-15-1304-pacific-distro-basic-smithi/6685838
http://pulpito.front.sepia.ceph.com/adking-2022-02-15_22:33:11-orch:cephadm-wip-adk2-testing-2022-02-15-1304-pacific-distro-basic-smithi/6685891
in master:
Updated by Brad Hubbard about 2 years ago
- Status changed from New to Rejected
The 'dhclient/chrony' issues seem to be a system issue similar to https://bugzilla.redhat.com/show_bug.cgi?id=1897388 (fedora)
SELinux is preventing /usr/bin/bash from getattr access on the file /var/lib/sss/mc/passwd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed getattr access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '11-dhclient' --raw | audit2allow -M my-11dhclient # semodule -X 300 -i my-11dhclient.pp Additional Information: Source Context system_u:system_r:NetworkManager_dispatcher_t:s0 Target Context system_u:object_r:sssd_public_t:s0 Target Objects /var/lib/sss/mc/passwd [ file ] Source 11-dhclient Source Path /usr/bin/bash Port <Unknown> Host <Unknown> Source RPM Packages bash-4.4.20-3.el8.x86_64 Target RPM Packages sssd-common-2.6.1-2.el8.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.3-91.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-91.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name smithi190 Platform Linux smithi190 4.18.0-365.el8.x86_64 #1 SMP Thu Feb 10 16:11:23 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-02-22 00:00:00 UTC Last Seen 2022-02-22 00:00:00 UTC Local ID 00a65883-67b5-4aea-9c3e-02a1076ef1d4 SELinux is preventing /usr/bin/bash from execute access on the file chrony.sh. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed execute access on the chrony.sh file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '11-dhclient' --raw | audit2allow -M my-11dhclient # semodule -X 300 -i my-11dhclient.pp Additional Information: Source Context system_u:system_r:NetworkManager_dispatcher_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects chrony.sh [ file ] Source 11-dhclient Source Path /usr/bin/bash Port <Unknown> Host <Unknown> Source RPM Packages bash-4.4.20-3.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-91.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-91.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name smithi190 Platform Linux smithi190 4.18.0-365.el8.x86_64 #1 SMP Thu Feb 10 16:11:23 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-02-22 00:00:00 UTC Last Seen 2022-02-22 00:00:00 UTC Local ID 64fdeff5-fa9f-4406-86f0-901da47af39f
Looking at the original messages they pretty much all seem to be related to 'chrony/dhcp'.
SELinux denials found on ubuntu@smithi085.front.sepia.ceph.com: ['type=AVC msg=audit(1645015431.335:3623): avc: denied { map } for pid=55982 comm="11-dhclient" path="/usr/bin/bash" dev="sda1" ino=6040 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.339:3631): avc: denied { map } for pid=55986 comm="rm" path="/usr/bin/rm" dev="sda1" ino=10810 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.336:3627): avc: denied { write } for pid=55982 comm="11-dhclient" name="nss" dev="sda1" ino=2052 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1645015431.348:3642): avc: denied { write } for pid=55994 comm="chronyc" name="chrony" dev="tmpfs" ino=23201 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1645015431.337:3629): avc: denied { getattr } for pid=55982 comm="11-dhclient" path="/etc/passwd" dev="sda1" ino=39866 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3644): avc: denied { write } for pid=55994 comm="chronyc" name="chronyd.sock" dev="tmpfs" ino=98937 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1645015431.342:3635): avc: denied { write } for pid=55988 comm="chrony-helper" name="lock" dev="tmpfs" ino=25954 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.340:3632): avc: denied { read open } for pid=55988 comm="20-chrony-dhcp" path="/usr/libexec/chrony-helper" dev="sda1" ino=20468 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.337:3628): avc: denied { read } for pid=55982 comm="11-dhclient" name="passwd" dev="sda1" ino=39866 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3643): avc: denied { setattr } for pid=55994 comm="chronyc" name="chronyc.55994.sock" dev="tmpfs" ino=260616 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1645015431.345:3637): avc: denied { read } for pid=55991 comm="chrony-helper" name="chrony-helper" dev="tmpfs" ino=26794 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1645015431.336:3625): avc: denied { getattr } for pid=55982 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=39864 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.335:3623): avc: denied { execute } for pid=55982 comm="nm-dispatcher" name="11-dhclient" dev="sda1" ino=66 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.340:3632): avc: denied { execute_no_trans } for pid=55988 comm="20-chrony-dhcp" path="/usr/libexec/chrony-helper" dev="sda1" ino=20468 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3644): avc: denied { sendto } for pid=55994 comm="chronyc" path="/run/chrony/chronyd.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket permissive=1', 'type=AVC msg=audit(1645015431.336:3624): avc: denied { open } for pid=55982 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=39864 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.335:3623): avc: denied { execute_no_trans } for pid=55982 comm="nm-dispatcher" path="/etc/NetworkManager/dispatcher.d/11-dhclient" dev="sda1" ino=66 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.337:3628): avc: denied { open } for pid=55982 comm="11-dhclient" path="/etc/passwd" dev="sda1" ino=39866 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.345:3638): avc: denied { read } for pid=55991 comm="chrony-helper" name="dhclient" dev="sda1" ino=1965 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1645015431.343:3636): avc: denied { lock } for pid=55990 comm="flock" path="/run/chrony-helper/lock" dev="tmpfs" ino=25954 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.337:3630): avc: denied { execute } for pid=55982 comm="11-dhclient" name="chrony.sh" dev="sda1" ino=662 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3640): avc: denied { create } for pid=55994 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=udp_socket permissive=1', 'type=AVC msg=audit(1645015431.349:3646): avc: denied { unlink } for pid=55994 comm="chronyc" name="chronyc.55994.sock" dev="tmpfs" ino=260616 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1645015431.341:3633): avc: denied { getattr } for pid=55988 comm="chrony-helper" path="/usr/libexec/chrony-helper" dev="sda1" ino=20468 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.336:3624): avc: denied { read } for pid=55982 comm="11-dhclient" name="passwd" dev="sda1" ino=39864 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.342:3635): avc: denied { open } for pid=55988 comm="chrony-helper" path="/run/chrony-helper/lock" dev="tmpfs" ino=25954 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.341:3634): avc: denied { ioctl } for pid=55988 comm="chrony-helper" path="/usr/libexec/chrony-helper" dev="sda1" ino=20468 ioctlcmd=0x5401 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3645): avc: denied { sendto } for pid=16759 comm="chronyd" path="/run/chrony/chronyc.55994.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=unix_dgram_socket permissive=1', 'type=AVC msg=audit(1645015431.339:3631): avc: denied { execute_no_trans } for pid=55986 comm="20-chrony-dhcp" path="/usr/bin/rm" dev="sda1" ino=10810 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.335:3623): avc: denied { execute } for pid=55982 comm="nm-dispatcher" name="bash" dev="sda1" ino=6040 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.347:3639): avc: denied { read open } for pid=55994 comm="20-chrony-onoff" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.347:3639): avc: denied { map } for pid=55994 comm="chronyc" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3642): avc: denied { dac_override } for pid=55994 comm="chronyc" capability=1 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1645015431.340:3632): avc: denied { execute } for pid=55988 comm="20-chrony-dhcp" name="chrony-helper" dev="sda1" ino=20468 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3641): avc: denied { dac_read_search } for pid=55994 comm="chronyc" capability=2 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1645015431.348:3642): avc: denied { create } for pid=55994 comm="chronyc" name="chronyc.55994.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1645015431.349:3646): avc: denied { remove_name } for pid=55994 comm="chronyc" name="chronyc.55994.sock" dev="tmpfs" ino=260616 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1645015431.336:3627): avc: denied { connectto } for pid=55982 comm="11-dhclient" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1', 'type=AVC msg=audit(1645015431.336:3626): avc: denied { map } for pid=55982 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=39864 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.347:3639): avc: denied { execute } for pid=55994 comm="20-chrony-onoff" name="chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.347:3639): avc: denied { execute_no_trans } for pid=55994 comm="20-chrony-onoff" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1645015431.348:3642): avc: denied { add_name } for pid=55994 comm="chronyc" name="chronyc.55994.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1']
Not sure this is something the ceph project should be fixing?
Updated by Venky Shankar about 2 years ago
- Has duplicate Bug #54337: Selinux denials seen on fs/rados teuthology runs added
Actions