[ceph rgw] Multiple new SElinux denials on NFS v3

Solution Unverified - Updated -

Issue

Below errors were noted, multiple avc denials with selinux in enforcing mode on nfs ganesha v3.

2020-03-20T04:24:28.935 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692261.134:1685): avc:  denied  { search } for  pid=17192 comm="ganesha.nfsd" name="ceph-rgw.clara003" dev="sda1" ino=657965 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1
2020-03-20T04:24:28.935 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692261.134:1685): avc:  denied  { read } for  pid=17192 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=657966 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.935 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692261.134:1685): avc:  denied  { open } for  pid=17192 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara003/keyring" dev="sda1" ino=657966 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.936 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692261.134:1686): avc:  denied  { getattr } for  pid=17192 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara003/keyring" dev="sda1" ino=657966 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.936 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692319.075:2065): avc:  denied  { read } for  pid=18803 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.936 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692319.075:2065): avc:  denied  { open } for  pid=18803 comm="ganesha.nfsd" path="/proc/18803/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.937 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692319.075:2066): avc:  denied  { getattr } for  pid=18803 comm="ganesha.nfsd" path="/proc/18803/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.937 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692319.111:2067): avc:  denied  { open } for  pid=18804 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-clara00

Environment

  • Red Hat Enterprise Linux 7
  • ceph version 12.2.12-101.el7cp (20a4945f2321019ed50c1844b413059c07304074) luminous
  • NFS v3
  • SELinux enforce mode = 1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content