[ceph rgw] Multiple new SElinux denials on NFS v3
Issue
Below errors were noted, multiple avc denials with selinux in enforcing mode on nfs ganesha v3.
2020-03-20T04:24:28.935 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692261.134:1685): avc: denied { search } for pid=17192 comm="ganesha.nfsd" name="ceph-rgw.clara003" dev="sda1" ino=657965 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=dir permissive=1
2020-03-20T04:24:28.935 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692261.134:1685): avc: denied { read } for pid=17192 comm="ganesha.nfsd" name="keyring" dev="sda1" ino=657966 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.935 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692261.134:1685): avc: denied { open } for pid=17192 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara003/keyring" dev="sda1" ino=657966 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.936 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692261.134:1686): avc: denied { getattr } for pid=17192 comm="ganesha.nfsd" path="/var/lib/ceph/radosgw/ceph-rgw.clara003/keyring" dev="sda1" ino=657966 scontext=system_u:system_r:ganesha_t:s0 tcontext=unconfined_u:object_r:ceph_var_lib_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.936 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692319.075:2065): avc: denied { read } for pid=18803 comm="ganesha.nfsd" name="psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.936 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692319.075:2065): avc: denied { open } for pid=18803 comm="ganesha.nfsd" path="/proc/18803/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.937 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692319.075:2066): avc: denied { getattr } for pid=18803 comm="ganesha.nfsd" path="/proc/18803/net/psched" dev="proc" ino=4026531987 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
2020-03-20T04:24:28.937 INFO:teuthology.orchestra.run.clara003.stdout:type=AVC msg=audit(1584692319.111:2067): avc: denied { open } for pid=18804 comm="ganesha.nfsd" path="/var/log/ceph/ceph-rgw-clara00
Environment
- Red Hat Enterprise Linux 7
- ceph version 12.2.12-101.el7cp (20a4945f2321019ed50c1844b413059c07304074) luminous
- NFS v3
- SELinux enforce mode = 1
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.