We plan to start labeling anon inodes (userfaultfd and io_uring file
descriptors) properly in selinux-policy, which means that domains using
these will need new rules.
See: https://github.com/fedora-selinux/selinux-policy/pull/1351
Since ceph may optionally use io_uring, this patch adds the necessary
interface call to its policy to avoid a regression. As the new interface
call is put under a conditional, the policy package will be buildable
against selinux-policy with or without the above PR merged, but it will
need to be rebuilt against the updated selinux-policy to actually pick
up the new rules.
I tested this on a minimal ceph cluster with 'bdev_ioring = true' added
to ceph.conf. I got io_uring denials without this patch + with
selinux-policy with PR#1351 and no denials with ceph rebuilt with this
patch.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
This fixes the selinux errors like this for /etc/target
-----------------------------------
Additional Information:
Source Context system_u:system_r:ceph_t:s0
Target Context system_u:object_r:targetd_etc_rw_t:s0
Target Objects target [ dir ]
Source rbd-target-api
Source Path rbd-target-api
Port <Unknown>
Host ans8
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ans8
Platform Linux ans8 4.18.0-147.el8.x86_64 #1 SMP
Thu Sep 26
15:52:44 UTC 2019 x86_64 x86_64
Alert Count 1
First Seen 2020-01-08 18:39:48 EST
Last Seen 2020-01-08 18:39:48 EST
Local ID 9a13ee18-eaf2-4f2a-872f-2809ee4928f6
Raw Audit Messages
type=AVC msg=audit(1578526788.148:69): avc: denied { search } for
pid=995 comm="rbd-target-api" name="target" dev="sda1" ino=52198
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=1
Hash: rbd-target-api,ceph_t,targetd_etc_rw_t,dir,search
which are a result of the rtslib library the ceph-iscsi daemons use
accessing /etc/target to read/write a file which stores meta data the
target uses.
Signed-off-by: Mike Christie <mchristi@redhat.com>
This fixes the the following selinux error when using ceph-iscsi's
rbd-target-api daemon (rbd-target-gw has the same issue). They are
a result of the a python library, rtslib, which the daemons use.
Additional Information:
Source Context system_u:system_r:ceph_t:s0
Target Context system_u:object_r:configfs_t:s0
Target Objects
/sys/kernel/config/target/iscsi/iqn.2003-01.com.re
dhat:ceph-iscsi/tpgt_1/attrib/authentication
[
file ]
Source rbd-target-api
Source Path /usr/libexec/platform-python3.6
Port <Unknown>
Host ans8
Source RPM Packages platform-python-3.6.8-15.1.el8.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ans8
Platform Linux ans8 4.18.0-147.el8.x86_64 #1 SMP
Thu Sep 26
15:52:44 UTC 2019 x86_64 x86_64
Alert Count 1
First Seen 2020-01-08 18:39:47 EST
Last Seen 2020-01-08 18:39:47 EST
Local ID 6f8c3415-7a50-4dc8-b3d2-2621e1d00ca3
Raw Audit Messages
type=AVC msg=audit(1578526787.577:68): avc: denied { ioctl } for
pid=995 comm="rbd-target-api"
path="/sys/kernel/config/target/iscsi/iqn.2003-01.com.redhat:ceph-iscsi/tpgt_1/attrib/authentication"
dev="configfs" ino=25703 ioctlcmd=0x5401
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1578526787.577:68): arch=x86_64 syscall=ioctl
success=no exit=ENOTTY a0=34 a1=5401 a2=7ffd4f8f1f60 a3=3052cd2d95839b96
items=0 ppid=1 pid=995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rbd-target-api
exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:ceph_t:s0
key=(null)
Hash: rbd-target-api,ceph_t,configfs_t,file,ioctl
Signed-off-by: Mike Christie <mchristi@redhat.com>
In several places, such as common/numa.cc we call sched_setaffinity
which requires this permission.
Fixes: https://tracker.ceph.com/issues/44196
Signed-off-by: Brad Hubbard <bhubbard@redhat.com>
We are using libudev and reading the udev db files because of that. We
need to allow ceph to access these files in the SELinux policy.
Signed-off-by: Boris Ranto <branto@redhat.com>
We hit a couple more SELinux denials when running ceph on RHEL8. The
dac_read_search change is related to a kernel change where it checks
dac_read_search before dac_override, now.
Signed-off-by: Boris Ranto <branto@redhat.com>
This adds selinux support for the ceph iscsi daemons under the ceph
github:
ceph-iscsi-config - rbd-target-gw
ceph-iscsi-cli - rbd-target-api
We use tcmu-runner, but that will go into the core policy to avoid
conflicts with gluster and distro bases.
This requires the patches:
https://github.com/ceph/ceph-iscsi-config/pull/90https://github.com/ceph/ceph-iscsi-cli/pull/134
Signed-off-by: Mike Christie <mchristi@redhat.com>
The ceph-volume testing showed that the ceph daemons can run ldconfig in
a corner case when they are forbidden access to some files. This patch
allows ceph to execute ldconfig in Enforcing mode.
Fixes: https://tracker.ceph.com/issues/22302
Signed-off-by: Boris Ranto <branto@redhat.com>
This showed up during downstream testing for luminous. We are doing
getattr on the sysfs lnk files and the current policy does not allow
this.
Signed-off-by: Boris Ranto <branto@redhat.com>
This commit allows nvme devices which use a different label than
standard block devices.
Fixes: http://tracker.ceph.com/issues/19200
Signed-off-by: Boris Ranto <branto@redhat.com>
Two new denials showed up in testing that relate to ceph trying to
manage (rename and unlink) tmp files. This commit allows ceph to manage
the files.
Fixes: http://tracker.ceph.com/issues/17436
Signed-off-by: Boris Ranto <branto@redhat.com>
we read /proc/<pid>/cmdline to figure out who is terminating us.
Fixes: http://tracker.ceph.com/issues/16675
Signed-off-by: Kefu Chai <kchai@redhat.com>
We currently create the ceph lock by an unconfined process (ceph-disk).
Unconfined processes inherit the context from the parrent directory.
This allows ceph daemons to access the files with context inherrited
from the parent directory (/var/lock | /run/lock).
Signed-off-by: Boris Ranto <branto@redhat.com>
We do suggest users to put their logs in /var/log/radosgw in the
documentation at times. We should also label that directory with
ceph_var_log_t so that ceph daemons can also write there.
The commit also updates the man page for this policy. This man page is
automatically generated by
* sepolicy manpage -p . -d ceph_t
and have not been reloaded in a while. Hence, it contains few more
changes than the new radosgw directory.
Signed-off-by: Boris Ranto <branto@redhat.com>
The current SELinux policy does not cover radosgw daemon. This patch
introduces the SELinux support for radosgw daemon (civetweb only).
Signed-off-by: Boris Ranto <branto@redhat.com>
This patch modifies the build system and spec file to provide a support
for SELinux enforcing in an opt-in matter via ceph-selinux package.
Signed-off-by: Boris Ranto <branto@redhat.com>