Project

General

Profile

Actions
Copy link

Bug #74553

open

Rocky10 test failed with SELinuxError: SELinux denials found on ubuntu@trial124.front.sepia.ceph.com

Added by Nitzan Mordechai about 2 months ago. Updated about 1 month ago.

Status:
Fix Under Review
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
67193
Crash signature (v1):
Crash signature (v2):
Tags (freeform):
Merge Commit:
Fixed In:
Released In:
Upkeep Timestamp:

Description

https://pulpito.ceph.com/yaarit-2026-01-23_22:08:51-rados-wip-rocky10-branch-of-the-day-2026-01-23-1769128778-distro-default-trial/15699/
https://pulpito.ceph.com/yaarit-2026-01-23_22:08:51-rados-wip-rocky10-branch-of-the-day-2026-01-23-1769128778-distro-default-trial/15702/
https://pulpito.ceph.com/yaarit-2026-01-23_22:08:51-rados-wip-rocky10-branch-of-the-day-2026-01-23-1769128778-distro-default-trial/15705/

2026-01-23T22:18:34.868 DEBUG:teuthology.run_tasks:Unwinding manager kernel
2026-01-23T22:18:34.885 DEBUG:teuthology.run_tasks:Unwinding manager console_log
2026-01-23T22:18:34.903 DEBUG:teuthology.run_tasks:Exception was not quenched, exiting: SELinuxError: SELinux denials found on ubuntu@trial124.front.sepia.ceph.com: ['type=AVC msg=audit(1769206569.968:4400): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206561.490:4202): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206557.527:4089): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206654.482:5047): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206562.453:4214): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206570.947:4478): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206563.040:4252): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206605.857:4600): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206562.354:4211): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206517.804:3077): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206513.973:2992): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206613.622:4868): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206565.233:4312): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206607.231:4615): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206559.879:4108): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206566.496:4356): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206525.704:3360): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206551.880:3874): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206569.026:4380): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206565.932:4337): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206569.654:4389): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206571.946:4489): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206608.976:4640): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206572.760:4511): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206511.390:2863): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206514.793:3003): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206566.912:4369): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206563.056:4253): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206531.628:3673): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206554.353:3989): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206593.074:4576): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206572.316:4501): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206695.234:5153): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206528.583:3452): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206617.058:4890): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206532.089:3755): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206561.473:4201): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206531.229:3644): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206634.048:5029): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206557.038:4078): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206565.077:4309): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206572.152:4497): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206611.320:4730): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206524.750:3329): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206610.103:4671): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206570.924:4477): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206612.904:4844): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206691.035:5130): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206617.432:4901): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206552.658:3949): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206560.164:4117): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206571.820:4487): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206531.438:3657): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206563.495:4290): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206628.575:4987): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206612.534:4833): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206537.172:3845): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206613.685:4870): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206515.378:3072): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206534.549:3812): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206564.412:4299): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206573.141:4518): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206563.484:4289): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206613.523:4861): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206560.802:4132): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206696.598:5162): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206512.975:2921): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206593.173:4579): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1', 'type=AVC msg=audit(1769206633.955:5026): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=1']
2026-01-23T22:18:34.941 INFO:teuthology.run:Summary data:
description: rados/cephadm/workunits/{0-distro/rocky_10 agent/on mon_election/connectivity
  task/test_host_drain}

Related issues 1 (1 open0 closed)

Related to Ceph QA - QA Run #74540: wip-rocky10-branch-of-the-day-2026-01-23-1769128778QA Needs ApprovalLaura FloresActions
Actions
Copy link
 #1

Updated by Nitzan Mordechai about 2 months ago

  • Related to QA Run #74540: wip-rocky10-branch-of-the-day-2026-01-23-1769128778 added
Actions
Copy link
 #2

Updated by David Galloway about 2 months ago

SELinux denials would not really be my team's responsibility unless

a) The denials themselves were caused by a process we are responsible for (e.g., dnf or user permissions, sudo, testnode configuration, etc.) OR
b) You need us to modify the SELinux policy on the testnodes globally e.g., https://github.com/ceph/ceph-cm-ansible/blob/main/roles/common/tasks/nrpe-selinux.yml#L1-L41

In this case, it is neither. This is Rocky 10's newer systemd and kernel behavior using eBPF during container operations. I was able to reproduce this on a Rocky 10 testnode by just running podman run --rm quay.io/libpod/alpine echo ok. This is not something we need to fix in Ceph but should tell teuthology to ignore the denial.

Try pulling this in: https://github.com/djgalloway/ceph/commit/93718d5f9a544471f73be974e30de00ac58c746f

Actions
Copy link
 #3

Updated by Nitzan Mordechai about 2 months ago

/a/nmordech-2026-01-28_16:11:20-rados-wip-rocky10-branch-of-the-day-2026-01-23-1769128778-distro-default-trial/23407/teuthology.log

Actions
Copy link
 #5

Updated by Laura Flores about 2 months ago · Edited

@David Galloway looks like there are still some denials in the latest runs. Do you have any suggestions?

(See examples in comments 4 and 5).

Actions
Copy link
 #6

Updated by Yaarit Hatuka about 2 months ago

  • Status changed from New to Fix Under Review
  • Pull request ID set to 67193
Actions
Copy link

Also available in: Atom PDF