RHCS 3 - containers, selinux enforcing - after upgrade from RHEL 7.4 to RHEL 7.5 Ceph containers will not start
Issue
We have upgraded our Ceph 3 containerized environment from RHEL 7.4 to RHEL 7.5.
After reboot, the Ceph containers are not starting, failing with permission denied pointing to selinux alrert
Apr 16 05:49:10 mons-2.container.quicklab.pnq2.cee.redhat.com dockerd-current[1125]: mktemp: failed to create directory via template '/var/lib/ceph/tmp/tmp.XXXXXXXXXX': Permission denied
SELinux is preventing /usr/bin/mktemp from write access on the directory tmp.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that mktemp should be allowed write access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mktemp' --raw | audit2allow -M my-mktemp
# semodule -i my-mktemp.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c384,c657
Target Context system_u:object_r:ceph_var_lib_t:s0
Target Objects tmp [ dir ]
Source mktemp
Source Path /usr/bin/mktemp
Port <Unknown>
Host <Unknown>
Source RPM Packages coreutils-8.22-21.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name mons-2.container.quicklab.pnq2.cee.redhat.com
Platform Linux
mons-2.container.quicklab.pnq2.cee.redhat.com
3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51
EDT 2018 x86_64 x86_64
Alert Count 1
First Seen 2018-04-16 05:35:14 EDT
Last Seen 2018-04-16 05:35:14 EDT
Local ID 59faa3b1-010e-45ea-884f-50328bc0f65e
Raw Audit Messages
type=AVC msg=audit(1523871314.212:1560): avc: denied { write } for pid=13477 comm="mktemp" name="tmp" dev="vda1" ino=41952155 scontext=system_u:system_r:container_t:s0:c384,c657 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1523871314.212:1560): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=1d050b0 a1=1c0 a2=22 a3=7ffdee0816a0 items=0 ppid=13476 pid=13477 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mktemp exe=/usr/bin/mktemp subj=system_u:system_r:container_t:s0:c384,c657 key=(null)
Hash: mktemp,container_t,ceph_var_lib_t,dir,write
Environment
Red Hat Enterprise Linux 7.5
Red Hat Ceph Storage 3
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.