zfs & selinux spamming logger

[svennd]

I have installed zfs 0.8.2 on centos 8 (8.1.1911, uname : 4.18.0-80.11.2.el8_0.x86_64) and for some reason my /var/log/messages is spammed with :

Code: Select all

Feb 13 15:18:37 prom1 platform-python[23599]: SELinux is preventing /usr/bin/cat from search access on the directory rpc.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that cat should be allowed search access on the rpc directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'cat' --raw | audit2allow -M my-cat#012# semodule -X 300 -i my-cat.pp#012
Feb 13 15:18:40 prom1 setroubleshoot[23599]: SELinux is preventing cat from getattr access on the file /proc/<pid>/net/rpc/nfsd. For complete SELinux messages run: sealert -l b7828754-85ae-4b0e-a61c-6de745885369
Feb 13 15:18:40 prom1 platform-python[23599]: SELinux is preventing cat from getattr access on the file /proc/<pid>/net/rpc/nfsd.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that cat should be allowed getattr access on the nfsd file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'cat' --raw | audit2allow -M my-cat#012# semodule -X 300 -i my-cat.pp#012
Feb 13 15:20:00 prom1 systemd[1]: Starting system activity accounting tool...
Feb 13 15:20:00 prom1 systemd[1]: Started system activity accounting tool.
Feb 13 15:22:34 prom1 sssd[kcm][15824]: Shutting down
Feb 13 15:23:36 prom1 dbus-daemon[1131]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.19551' (uid=0 pid=23590 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper)
Feb 13 15:23:36 prom1 dbus-daemon[1131]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Feb 13 15:23:37 prom1 setroubleshoot[23631]: SELinux is preventing /usr/bin/cat from search access on the directory rpc. For complete SELinux messages run: sealert -l 429fa616-ceda-4436-be6d-5c3f1ada3462
Feb 13 15:23:37 prom1 platform-python[23631]: SELinux is preventing /usr/bin/cat from search access on the directory rpc.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that cat should be allowed search access on the rpc directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'cat' --raw | audit2allow -M my-cat#012# semodule -X 300 -i my-cat.pp#012
Feb 13 15:23:40 prom1 setroubleshoot[23631]: SELinux is preventing /usr/sbin/zpool from 'read, write' accesses on the chr_file zfs. For complete SELinux messages run: sealert -l 56a12972-324c-461e-8df4-92225b0cb42f
Feb 13 15:23:40 prom1 platform-python[23631]: SELinux is preventing /usr/sbin/zpool from 'read, write' accesses on the chr_file zfs.#012#012*****  Plugin device (91.4 confidence) suggests   ****************************#012#012If you want to allow zpool to have read write access on the zfs chr_file#012Then you need to change the label on zfs to a type of a similar device.#012Do#012# semanage fcontext -a -t SIMILAR_TYPE 'zfs'#012# restorecon -v 'zfs'#012#012*****  Plugin catchall (9.59 confidence) suggests   **************************#012#012If you believe that zpool should be allowed read write access on the zfs chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'zpool' --raw | audit2allow -M my-zpool#012# semodule -X 300 -i my-zpool.pp#012
Feb 13 15:23:43 prom1 setroubleshoot[23631]: failed to retrieve rpm info for /dev/zfs
Feb 13 15:23:43 prom1 setroubleshoot[23631]: SELinux is preventing zpool from open access on the chr_file /dev/zfs. For complete SELinux messages run: sealert -l fe70b75d-d838-4419-8b19-4b35f3ca45b3
Feb 13 15:23:43 prom1 platform-python[23631]: SELinux is preventing zpool from open access on the chr_file /dev/zfs.#012#012*****  Plugin device (91.4 confidence) suggests   ****************************#012#012If you want to allow zpool to have open access on the zfs chr_file#012Then you need to change the label on /dev/zfs to a type of a similar device.#012Do#012# semanage fcontext -a -t SIMILAR_TYPE '/dev/zfs'#012# restorecon -v '/dev/zfs'#012#012*****  Plugin catchall (9.59 confidence) suggests   **************************#012#012If you believe that zpool should be allowed open access on the zfs chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'zpool' --raw | audit2allow -M my-zpool#012# semodule -X 300 -i my-zpool.pp#012
Feb 13 15:23:55 prom1 dbus-daemon[1131]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.19551' (uid=0 pid=23590 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper)
Feb 13 15:23:55 prom1 dbus-daemon[1131]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Feb 13 15:23:55 prom1 setroubleshoot[23668]: failed to retrieve rpm info for /dev/zfs
Feb 13 15:23:55 prom1 setroubleshoot[23668]: SELinux is preventing zpool from ioctl access on the chr_file /dev/zfs. For complete SELinux messages run: sealert -l 302d7bf3-b954-4fbf-8e16-ea2e6b38b225
Feb 13 15:23:55 prom1 platform-python[23668]: SELinux is preventing zpool from ioctl access on the chr_file /dev/zfs.#012#012*****  Plugin device (91.4 confidence) suggests   ****************************#012#012If you want to allow zpool to have ioctl access on the zfs chr_file#012Then you need to change the label on /dev/zfs to a type of a similar device.#012Do#012# semanage fcontext -a -t SIMILAR_TYPE '/dev/zfs'#012# restorecon -v '/dev/zfs'#012#012*****  Plugin catchall (9.59 confidence) suggests   **************************#012#012If you believe that zpool should be allowed ioctl access on the zfs chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'zpool' --raw | audit2allow -M my-zpool#012# semodule -X 300 -i my-zpool.pp#012

I have no idea what selinux is trying to tell me, and what it is blocking;

This is /etc/selinux/config

Code: Select all

cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

I think it might be related to a snmpd script that tries to open "/proc/spl/kstat/zfs/arcstats" for reading the stats; but I feel a bit ashamed I have no idea how to fix this or how to silence the error ... Everything seems to work ...

[tunk]

I don't know what your problem is, but you might want to run dnf update and reboot.
I think 4.18.0-80.11.2.el8_0 is from CentOS 8.0.

[BShT]

restorecon?

[svennd]

restorecon?

You mean restorecon -v '/dev/zfs' ?

I don't know what your problem is, but you might want to run dnf update and reboot.
I think 4.18.0-80.11.2.el8_0 is from CentOS 8.0.

I'm still old and using yum, but they both do the same I guess yum update ? (i did, nothing to update)

[TrevorH]

In CentOS 8, yum == dnf, it is a symlink.

I don't think the NFS AVCs are to do with zfs though the /dev/zfs ones definitely are.

I think you may have more fundamental problems though. How did you install zfs? I've seen others using it and none have these problems. Post the output from ls -laZ /dev/zfs

[svennd]

Code: Select all

crw-rw-rw-. 1 root root system_u:object_r:device_t:s0 10, 249 Feb 10 09:13 /dev/zfs

on a companion server (where i did pretty much the same and have no issues :

Code: Select all

ls -laZ /dev/zfs
crw-rw-rw- 1 root root ? 10, 249 Feb 10 10:05 /dev/zfs

I did run :

Code: Select all

restorecon -v '/dev/zfs'

But I don't really know what that should do ...

ZFS is zfsonline, i don't recall doing anything special or different : zfs.repo :

Code: Select all

cat /etc/yum.repos.d/zfs.repo
[zfs]
name=ZFS on Linux for EL8 - dkms
baseurl=http://download.zfsonlinux.org/epel/8.0/$basearch/
enabled=1
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux

[zfs-kmod]
name=ZFS on Linux for EL8 - kmod
baseurl=http://download.zfsonlinux.org/epel/8.0/kmod/$basearch/
enabled=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux

thanks for the help.

[BShT]

i think you should restorecon to mount point not to dev

but i don´t use ZFS with linux, only freeBSD

[TrevorH]

What was the output from ls -laZ /dev/zfs after the restorecon? It had no selinux context when you first listed it and that was plainly wrong. Did you have selinux disabled at any point (not permissive but disabled, either by amending /etc/sysconfig/selinux and changing 'enforcing' to disabled or by passing selinux=0 via the kernel command line)?

If the selinux context changes after the restorecon then it may work afterwards. However I suspect that it may reset when you reboot in which case this would sound like a bug in zfs and you would need to talk to their community about how to fix that.

[svennd]

I turned out selinux was still enabled; I disabled it and rebooted (which did not happen before) and logically the errors have stayed out.

While I still have no idea why selinux doesn't like me, at least its now silent. Until I find the time to study selinux ways, it is to be a harsh mystery.

thanks for the help all !