AppArmor denied messages for profile="/usr/bin/ceph-mds" flooding the system log
This document (7023914) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Enterprise Storage 5.x
Situation
The system log "/var/log/messages" is flooded with messages similar to the following:
2019-06-05T12:00:00.873826+0x:x <host_name> kernel: [xxx.xxx] audit: type=1400 audit(xxx.xxx:xxx): apparmor="DENIED" operation="open" profile="/usr/bin/ceph-mds" name="/proc/<pid_number>/status" pid=<pid_number> comm="safe_timer" requested_mask="r" denied_mask="r" fsuid=xxx ouid=xxx
Resolution
Adjust the "/etc/apparmor.d/usr.bin.ceph-mds" profile to allow read for "/proc/*/stat" and "/proc/*/status".
Cause
The default AppArmor profile is missing some read access permissions.
Additional Information
To implement the change, edit the "/etc/apparmor.d/usr.bin.ceph-mds" file so the entries granting permissions are:
/usr/bin/ceph-mds mr,/proc/*/stat r,/proc/*/status r,
After saving the file, reload the AppArmor profiles by executing "systemctl reload apparmor".
Alternatively the YaST apparmor module can also be used to make the required changes.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7023914
- Creation Date: 05-Jun-2019
- Modified Date:03-Mar-2020
-
- SUSE Enterprise Storage
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
