Looking at https://logserver.rdoproject.org/57/763657/40/openstack-check/tripleo-ci-centos-8-ovb-3ctlr_1comp-featureset001/20570f5/logs/overcloud-controller-0/var/log/audit/audit.log.txt.gz
We can see about 25 denials and they are all of the following form:
type=AVC msg=audit(1615668714.600:17927): avc: denied { getattr } for pid=157251 comm="lsof" path="/dev/vda2" dev="devtmpfs" ino=15511 scontext=system_u:system_r:container_t:s0:c646,c695 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
curl https://logserver.rdoproject.org/57/763657/40/openstack-check/tripleo-ci-centos-8-ovb-3ctlr_1comp-featureset001/20570f5/logs/overcloud-controller-0/var/log/audit/audit.log.txt.gz |zgrep denied |wc -l
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 349k 100 349k 0 0 69074 0 0:00:05 0:00:05 --:--:-- 89193
25
Unfortunately we do not log processes with '-Z' so from the CI logs it is not obvious, but I could reproduce this on my local master environment where I narrowed it down to swift_rsync:
type=AVC msg=audit(1615828398.842:28610): avc: denied { getattr } for pid=829920 comm="lsof" path="/dev/vda2" dev="devtmpfs" ino=15012 scontext=system_u:system_r:container_t:s0:c557,c702 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
type=AVC msg=audit(1615828398.844:28611): avc: denied { getattr } for pid=829920 comm="lsof" path="/dev/vda2" dev="devtmpfs" ino=15012 scontext=system_u:system_r:container_t:s0:c557,c702 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
And a selinux-enabled ps gave me rsync which belongs to the swift_rsync container
[root@ctrl-1-0 ~]# ps auxwfwZ |grep c557,c702
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 837063 0.0 0.0 221928 1196 pts/0 S+ 17:14 0:00 \_ grep --color=auto c557,c702
system_u:system_r:container_t:s0:c557,c702 root 116046 0.0 0.0 4232 916 ? Ss 15:12 0:00 \_ dumb-init --single-child -- kolla_start
system_u:system_r:container_t:s0:c557,c702 root 116073 0.0 0.0 11540 1176 ? S 15:12 0:00 \_ /usr/bin/rsync --daemon --no-detach --config=/etc/rsyncd.conf
[root@ctrl-1-0 ~]# podman exec -it swift_rsync sh -c 'ps auxwfwZ'
LABEL USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
system_u:system_r:container_t:s0:c557,c702 root 1849 0.0 0.0 47588 3756 pts/1 Rs+ 17:15 0:00 ps auxwfwZ
system_u:system_r:container_t:s0:c557,c702 root 1 0.0 0.0 4232 916 ? Ss 15:12 0:00 dumb-init --single-child -- kolla_start
system_u:system_r:container_t:s0:c557,c702 root 7 0.0 0.0 11540 1176 ? S 15:12 0:00 /usr/bin/rsync --daemon --no-detach --config=/etc/rsyncd.conf
This still happens in master and has also the side-effect of setroubleshootd kicking in quite a bit and using up CPU constantly.