RHCS 3 - containers, selinux enforcing - after upgrade from RHEL 7.4 to RHEL 7.5 Ceph containers will not start

Solution In Progress - Updated -


We have upgraded our Ceph 3 containerized environment from RHEL 7.4 to RHEL 7.5.
After reboot, the Ceph containers are not starting, failing with permission denied pointing to selinux alrert

Apr 16 05:49:10 mons-2.container.quicklab.pnq2.cee.redhat.com dockerd-current[1125]: mktemp: failed to create directory via template '/var/lib/ceph/tmp/tmp.XXXXXXXXXX': Permission denied
SELinux is preventing /usr/bin/mktemp from write access on the directory tmp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mktemp should be allowed write access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'mktemp' --raw | audit2allow -M my-mktemp
# semodule -i my-mktemp.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c384,c657
Target Context                system_u:object_r:ceph_var_lib_t:s0
Target Objects                tmp [ dir ]
Source                        mktemp
Source Path                   /usr/bin/mktemp
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           coreutils-8.22-21.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-192.el7_5.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     mons-2.container.quicklab.pnq2.cee.redhat.com
Platform                      Linux
                              3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51
                              EDT 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-04-16 05:35:14 EDT
Last Seen                     2018-04-16 05:35:14 EDT
Local ID                      59faa3b1-010e-45ea-884f-50328bc0f65e

Raw Audit Messages
type=AVC msg=audit(1523871314.212:1560): avc:  denied  { write } for  pid=13477 comm="mktemp" name="tmp" dev="vda1" ino=41952155 scontext=system_u:system_r:container_t:s0:c384,c657 tcontext=system_u:object_r:ceph_var_lib_t:s0 tclass=dir

type=SYSCALL msg=audit(1523871314.212:1560): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=1d050b0 a1=1c0 a2=22 a3=7ffdee0816a0 items=0 ppid=13476 pid=13477 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mktemp exe=/usr/bin/mktemp subj=system_u:system_r:container_t:s0:c384,c657 key=(null)

Hash: mktemp,container_t,ceph_var_lib_t,dir,write


Red Hat Enterprise Linux 7.5
Red Hat Ceph Storage 3

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content