Bug #54337: Selinux denials seen on fs/rados teuthology runs - Infrastructure - Ceph

Actions

Copy link

Bug #54337

open

Selinux denials seen on fs/rados teuthology runs

Added by Kotresh Hiremath Ravishankar about 2 years ago. Updated about 2 years ago.

Status:

Fix Under Review

Priority:

Normal

Assignee:

David Galloway

% Done:

Source:

Tags:

Backport:

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

fs, rados

Crash signature (v1):

Crash signature (v2):

Description

Run: http://pulpito.front.sepia.ceph.com/khiremat-2022-02-16_10:23:29-fs:volumes-wip-khiremat-44854-44873-testing-2-distro-default-smithi/

All the failed jobs in the run is due to Selinux denials.

One of the teuthology log: http://qa-proxy.ceph.com/teuthology/khiremat-2022-02-21_06:39:31-fs:volumes-wip-khiremat-44854-44873-testing-2-distro-default-smithi/6698194/teuthology.log

Also seen in one of the rados run

http://pulpito.front.sepia.ceph.com/yuriw-2022-02-18_22:56:01-rados-wip-yuriw-quincy-2.18.22-distro-default-smithi/
Job: http://pulpito.front.sepia.ceph.com/yuriw-2022-02-18_22:56:01-rados-wip-yuriw-quincy-2.18.22-distro-default-smithi/6695364/
Log: http://qa-proxy.ceph.com/teuthology/yuriw-2022-02-18_23:03:24-fs-wip-yuriw-quincy-2.18.22-distro-default-smithi/6695543/teuthology.log

SELinux denials found on ubuntu@smithi023.front.sepia.ceph.com: [
'type=AVC msg=audit(1644923667.511:44941): avc: denied { execute } for pid=258450 comm="nm-dispatcher" name="11-dhclient" dev="sda1" ino=66 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.513:44945): avc: denied { connectto } for pid=258450 comm="11-dhclient" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1',
'type=AVC msg=audit(1644923667.534:44956): avc: denied { remove_name } for pid=258461 comm="chronyc" name="chronyc.258461.sock" dev="tmpfs" ino=5743 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1',
'type=AVC msg=audit(1644923667.533:44953): avc: denied { setattr } for pid=258461 comm="chronyc" name="chronyc.258461.sock" dev="tmpfs" ino=5743 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1',
'type=AVC msg=audit(1644923667.514:44947): avc: denied { getattr } for pid=258450 comm="11-dhclient" path="/etc/passwd" dev="sda1" ino=46023 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.513:44944): avc: denied { map } for pid=258450 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=46020 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.528:44949): avc: denied { execute_no_trans } for pid=258461 comm="20-chrony-onoff" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.513:44942): avc: denied { open } for pid=258450 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=46020 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.533:44952): avc: denied { add_name } for pid=258461 comm="chronyc" name="chronyc.258461.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1',
'type=AVC msg=audit(1644923667.511:44941): avc: denied { execute_no_trans } for pid=258450 comm="nm-dispatcher" path="/etc/NetworkManager/dispatcher.d/11-dhclient" dev="sda1" ino=66 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.534:44955): avc: denied { sendto } for pid=11819 comm="chronyd" path="/run/chrony/chronyc.258461.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=unix_dgram_socket permissive=1',
'type=AVC msg=audit(1644923667.533:44952): avc: denied { create } for pid=258461 comm="chronyc" name="chronyc.258461.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1',
'type=AVC msg=audit(1644923667.533:44952): avc: denied { write } for pid=258461 comm="chronyc" name="chrony" dev="tmpfs" ino=961 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=dir permissive=1',
'type=AVC msg=audit(1644923667.513:44945): avc: denied { write } for pid=258450 comm="11-dhclient" name="nss" dev="sda1" ino=2052 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1',
'type=AVC msg=audit(1644923667.533:44951): avc: denied { dac_read_search } for pid=258461 comm="chronyc" capability=2 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=capability permissive=1',
'type=AVC msg=audit(1644923667.534:44954): avc: denied { write } for pid=258461 comm="chronyc" name="chronyd.sock" dev="tmpfs" ino=1497 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1',
'type=AVC msg=audit(1644923667.528:44949): avc: denied { execute } for pid=258461 comm="20-chrony-onoff" name="chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.528:44949): avc: denied { read open } for pid=258461 comm="20-chrony-onoff" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.528:44949): avc: denied { map } for pid=258461 comm="chronyc" path="/usr/bin/chronyc" dev="sda1" ino=12976 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.513:44943): avc: denied { getattr } for pid=258450 comm="11-dhclient" path="/var/lib/sss/mc/passwd" dev="sda1" ino=46020 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.515:44948): avc: denied { execute } for pid=258450 comm="11-dhclient" name="chrony.sh" dev="sda1" ino=662 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.533:44950): avc: denied { create } for pid=258461 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=udp_socket permissive=1',
'type=AVC msg=audit(1644923667.511:44941): avc: denied { map } for pid=258450 comm="11-dhclient" path="/usr/bin/bash" dev="sda1" ino=6040 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.533:44952): avc: denied { dac_override } for pid=258461 comm="chronyc" capability=1 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=capability permissive=1',
'type=AVC msg=audit(1644923667.534:44954): avc: denied { sendto } for pid=258461 comm="chronyc" path="/run/chrony/chronyd.sock" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket permissive=1',
'type=AVC msg=audit(1644923667.534:44956): avc: denied { unlink } for pid=258461 comm="chronyc" name="chronyc.258461.sock" dev="tmpfs" ino=5743 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_var_run_t:s0 tclass=sock_file permissive=1',
'type=AVC msg=audit(1644923667.514:44946): avc: denied { open } for pid=258450 comm="11-dhclient" path="/etc/passwd" dev="sda1" ino=46023 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1',
'type=AVC msg=audit(1644923667.514:44946): avc: denied { read } for pid=258450 comm="11-dhclient" name="passwd" dev="sda1" ino=46023 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1']

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Venky Shankar about 2 years ago

Project changed from Ceph to Infrastructure
Assignee set to David Galloway

Seems like infra noise, David?

Actions

Copy link

Updated by Venky Shankar about 2 years ago

Status changed from New to Duplicate

Duplicate of https://tracker.ceph.com/issues/54304

Actions

Copy link

Updated by Venky Shankar about 2 years ago

Is duplicate of Bug #54304: qa/suites/orch/cephadm: SELinux denials on centos 8.stream tests added

Actions

Copy link

Updated by David Galloway about 2 years ago

Status changed from Duplicate to Fix Under Review

https://github.com/ceph/teuthology/pull/1716

Actions

Copy link

Updated by Kamoltat (Junior) Sirivadhna about 2 years ago

/a/yuriw-2022-02-17_23:23:56-rados-wip-yuri7-testing-2022-02-17-0852-pacific-distro-default-smithi/6692695

Actions

Copy link

Updated by Laura Flores about 2 years ago

/a/yuriw-2022-02-21_18:20:15-rados-wip-yuri11-testing-2022-02-21-0831-quincy-distro-default-smithi/6699224

Actions

Copy link

Updated by Laura Flores about 2 years ago

Still seeing:
/a/gabrioux-2022-02-24_15:10:17-orch:cephadm:mds_upgrade_sequence-wip-guits-testing-2022-02-23-1142-distro-default-smithi/

SELinux denials found on ubuntu@smithi167.front.sepia.ceph.com:['type=AVC msg=audit(1645717564.831:11102): avc: denied { sendto } for pid=26387 comm="chronyd" path="/run/chrony/chronyc.154839.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=unix_dgram_socket permissive=1', 'type=AVC msg=audit(1645716761.044:7707): avc: denied { sendto } for pid=26387 comm="chronyd" path="/run/chrony/chronyc.88830.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=unix_dgram_socket permissive=1']

Actions

Copy link