Bug #54337
openSelinux denials seen on fs/rados teuthology runs
0%
Description
All the failed jobs in the run is due to Selinux denials.
One of the teuthology log: http://qa-proxy.ceph.com/teuthology/khiremat-2022-02-21_06:39:31-fs:volumes-wip-khiremat-44854-44873-testing-2-distro-default-smithi/6698194/teuthology.log
Also seen in one of the rados run
http://pulpito.front.sepia.ceph.com/yuriw-2022-02-18_22:56:01-rados-wip-yuriw-quincy-2.18.22-distro-default-smithi/
Job: http://pulpito.front.sepia.ceph.com/yuriw-2022-02-18_22:56:01-rados-wip-yuriw-quincy-2.18.22-distro-default-smithi/6695364/
Log: http://qa-proxy.ceph.com/teuthology/yuriw-2022-02-18_23:03:24-fs-wip-yuriw-quincy-2.18.22-distro-default-smithi/6695543/teuthology.log
SELinux denials found on ubuntu@smithi023.front.sepia.ceph.com: [ 'type=AVC msg=audit(1644923667.511:44941): avc: denied { execute } for pid=258450 comm="nm-dispatcher" name="11-dhclient" dev="sda1" ino=66 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.513:44945): avc: denied { connectto } for pid=258450 comm="11-dhclient" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1', 'type=AVC msg=audit(1644923667.534:44956): avc: denied { remove_name } for pid=258461 comm="chronyc" name="chronyc.258461.sock" dev="tmpfs" ino=5743 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1644923667.533:44953): avc: denied { setattr } for pid=258461 comm="chronyc" name="chronyc.258461.sock" dev="tmpfs" ino=5743 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1644923667.514:44947): avc: denied { getattr } for pid=258450 comm="11-dhclient" path="/etc/passwd" dev="sda1" ino=46023 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.513:44944): avc: denied { map } for pid=258450 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=46020 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.528:44949): avc: denied { execute_no_trans } for pid=258461 comm="20-chrony-onoff" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.513:44942): avc: denied { open } for pid=258450 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=46020 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.533:44952): avc: denied { add_name } for pid=258461 comm="chronyc" name="chronyc.258461.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1644923667.511:44941): avc: denied { execute_no_trans } for pid=258450 comm="nm-dispatcher" path="/etc/NetworkManager/dispatcher.d/11-dhclient" dev="sda1" ino=66 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.534:44955): avc: denied { sendto } for pid=11819 comm="chronyd" path="/run/chrony/chronyc.258461.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=unix_dgram_socket permissive=1', 'type=AVC msg=audit(1644923667.533:44952): avc: denied { create } for pid=258461 comm="chronyc" name="chronyc.258461.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1644923667.533:44952): avc: denied { write } for pid=258461 comm="chronyc" name="chrony" dev="tmpfs" ino=961 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1', 'type=AVC msg=audit(1644923667.513:44945): avc: denied { write } for pid=258450 comm="11-dhclient" name="nss" dev="sda1" ino=2052 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1644923667.533:44951): avc: denied { dac_read_search } for pid=258461 comm="chronyc" capability=2 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1644923667.534:44954): avc: denied { write } for pid=258461 comm="chronyc" name="chronyd.sock" dev="tmpfs" ino=1497 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1644923667.528:44949): avc: denied { execute } for pid=258461 comm="20-chrony-onoff" name="chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.528:44949): avc: denied { read open } for pid=258461 comm="20-chrony-onoff" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.528:44949): avc: denied { map } for pid=258461 comm="chronyc" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.513:44943): avc: denied { getattr } for pid=258450 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=46020 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.515:44948): avc: denied { execute } for pid=258450 comm="11-dhclient" name="chrony.sh" dev="sda1" ino=662 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.533:44950): avc: denied { create } for pid=258461 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=udp_socket permissive=1', 'type=AVC msg=audit(1644923667.511:44941): avc: denied { map } for pid=258450 comm="11-dhclient" path="/usr/bin/bash" dev="sda1" ino=6040 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.533:44952): avc: denied { dac_override } for pid=258461 comm="chronyc" capability=1 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=capability permissive=1', 'type=AVC msg=audit(1644923667.534:44954): avc: denied { sendto } for pid=258461 comm="chronyc" path="/run/chrony/chronyd.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket permissive=1', 'type=AVC msg=audit(1644923667.534:44956): avc: denied { unlink } for pid=258461 comm="chronyc" name="chronyc.258461.sock" dev="tmpfs" ino=5743 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1', 'type=AVC msg=audit(1644923667.514:44946): avc: denied { open } for pid=258450 comm="11-dhclient" path="/etc/passwd" dev="sda1" ino=46023 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1', 'type=AVC msg=audit(1644923667.514:44946): avc: denied { read } for pid=258450 comm="11-dhclient" name="passwd" dev="sda1" ino=46023 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1']
Updated by Venky Shankar about 2 years ago
- Project changed from Ceph to Infrastructure
- Assignee set to David Galloway
Seems like infra noise, David?
Updated by Venky Shankar about 2 years ago
- Status changed from New to Duplicate
Duplicate of https://tracker.ceph.com/issues/54304
Updated by Venky Shankar about 2 years ago
- Is duplicate of Bug #54304: qa/suites/orch/cephadm: SELinux denials on centos 8.stream tests added
Updated by David Galloway about 2 years ago
- Status changed from Duplicate to Fix Under Review
Updated by Kamoltat (Junior) Sirivadhna about 2 years ago
/a/yuriw-2022-02-17_23:23:56-rados-wip-yuri7-testing-2022-02-17-0852-pacific-distro-default-smithi/6692695
Updated by Laura Flores about 2 years ago
/a/yuriw-2022-02-21_18:20:15-rados-wip-yuri11-testing-2022-02-21-0831-quincy-distro-default-smithi/6699224
Updated by Laura Flores about 2 years ago
Still seeing:
/a/gabrioux-2022-02-24_15:10:17-orch:cephadm:mds_upgrade_sequence-wip-guits-testing-2022-02-23-1142-distro-default-smithi/
SELinux denials found on ubuntu@smithi167.front.sepia.ceph.com:['type=AVC msg=audit(1645717564.831:11102): avc: denied { sendto } for pid=26387 comm="chronyd" path="/run/chrony/chronyc.154839.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=unix_dgram_socket permissive=1', 'type=AVC msg=audit(1645716761.044:7707): avc: denied { sendto } for pid=26387 comm="chronyd" path="/run/chrony/chronyc.88830.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=unix_dgram_socket permissive=1']
Updated by Guillaume Abrioux about 2 years ago
looks like https://github.com/ceph/teuthology/pull/1717 fixed those failures.
see the latest job for "orch/cephadm/mds_upgrade_sequence" here I've triggered http://pulpito.front.sepia.ceph.com/gabrioux-2022-02-28_09:35:11-orch:cephadm:mds_upgrade_sequence-wip-guits-testing-2022-02-23-1142-distro-default-smithi/