Back to bug 1239017
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Prasanth | 2015-07-03 09:20:52 UTC | CC | mgrepl, mmalik, pprakash, rcyriac | |
| Summary | [selinux] [nfs-ganesha]: seeing avc denied error message for showmount, while doing a volume start - Rhel6.7 | [SELinux] [nfs-ganesha]: seeing avc denied error message for showmount, while doing a volume start - Rhel6.7 | ||
| QA Contact | storage-qa-internal | akhakhar | ||
| Prasanth | 2015-07-03 09:21:51 UTC | CC | akhakhar | |
| Flags | needinfo?(akhakhar) | |||
| Anil Shah | 2015-07-06 09:07:36 UTC | CC | senaik | |
| CC | ashah | |||
| Apeksha | 2015-07-06 09:25:25 UTC | Flags | needinfo?(akhakhar) | |
| Vivek Agarwal | 2015-07-06 11:24:36 UTC | Priority | unspecified | high |
| CC | vagarwal | |||
| Blocks | 1202842 | |||
| Red Hat Bugzilla Rules Engine | 2015-07-06 14:20:22 UTC | Target Release | --- | RHGS 3.1.0 |
| Prasanth | 2015-07-08 06:23:26 UTC | Flags | needinfo?(akhakhar) | |
| Prasanth | 2015-07-08 06:55:41 UTC | Blocks | 1212796 | |
| Prasanth | 2015-07-09 06:14:44 UTC | CC | sgraf | |
| Apeksha | 2015-07-09 07:01:03 UTC | Flags | needinfo?(akhakhar) | |
| Prasanth | 2015-07-09 07:04:57 UTC | Depends On | 1241386 | |
| Prasanth | 2015-07-09 07:19:56 UTC | Depends On | 1241400 | |
| Prasanth | 2015-07-17 18:22:50 UTC | Status | NEW | ASSIGNED |
| Vivek Agarwal | 2015-07-20 13:15:08 UTC | Status | ASSIGNED | MODIFIED |
| errata-xmlrpc | 2015-07-21 06:09:40 UTC | Status | MODIFIED | ON_QA |
| Vivek Agarwal | 2015-07-21 06:27:13 UTC | Status | ON_QA | MODIFIED |
| errata-xmlrpc | 2015-07-21 10:00:20 UTC | Status | MODIFIED | ON_QA |
| Vivek Agarwal | 2015-07-21 10:40:00 UTC | Status | ON_QA | MODIFIED |
| errata-xmlrpc | 2015-07-22 02:47:13 UTC | Status | MODIFIED | ON_QA |
| Rejy M Cyriac | 2015-07-22 04:01:48 UTC | Status | ON_QA | MODIFIED |
| errata-xmlrpc | 2015-07-22 07:32:11 UTC | Status | MODIFIED | ON_QA |
| Rejy M Cyriac | 2015-07-22 09:52:10 UTC | Status | ON_QA | MODIFIED |
| errata-xmlrpc | 2015-07-22 13:54:12 UTC | Status | MODIFIED | ON_QA |
| Vivek Agarwal | 2015-07-22 14:40:16 UTC | Status | ON_QA | MODIFIED |
| errata-xmlrpc | 2015-07-23 10:16:35 UTC | Status | MODIFIED | ON_QA |
| Vivek Agarwal | 2015-07-23 11:37:48 UTC | Status | ON_QA | MODIFIED |
| Vivek Agarwal | 2015-07-23 11:38:36 UTC | Blocks | 1202842 | |
| Vivek Agarwal | 2015-07-27 07:23:12 UTC | Blocks | 1216951 | |
| Vivek Agarwal | 2015-07-27 09:11:20 UTC | Doc Text | workaround | |
| Doc Type | Bug Fix | Known Issue | ||
| Apeksha | 2015-07-27 11:48:49 UTC | Doc Text | workaround | As per the bug, you will find AVC's with denied flag for showmount command in /var/log/audit/audit.log. For example: type=AVC msg=audit(1435940872.438:47126): avc: denied { execute } for pid=19711 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file In order to rectify this problem, please use the workaround as mentioned below: Step1: # cat mypolicy.te policy_module(mypolicy, 1.0) require{ type glusterd_t; } mount_domtrans_showmount(glusterd_t) Step2: # make -f /usr/share/selinux/devel/Makefile Compiling targeted mypolicy module /usr/bin/checkmodule: loading policy configuration from tmp/mypolicy.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/mypolicy.mod Creating targeted mypolicy.pp policy package rm tmp/mypolicy.mod.fc tmp/mypolicy.mod Step3: # semodule -i mypolicy.pp |
| Apeksha | 2015-07-27 11:59:16 UTC | Doc Text | As per the bug, you will find AVC's with denied flag for showmount command in /var/log/audit/audit.log. For example: type=AVC msg=audit(1435940872.438:47126): avc: denied { execute } for pid=19711 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file In order to rectify this problem, please use the workaround as mentioned below: Step1: # cat mypolicy.te policy_module(mypolicy, 1.0) require{ type glusterd_t; } mount_domtrans_showmount(glusterd_t) Step2: # make -f /usr/share/selinux/devel/Makefile Compiling targeted mypolicy module /usr/bin/checkmodule: loading policy configuration from tmp/mypolicy.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/mypolicy.mod Creating targeted mypolicy.pp policy package rm tmp/mypolicy.mod.fc tmp/mypolicy.mod Step3: # semodule -i mypolicy.pp | As per the bug, you will find AVC's with denied flag for showmount command in /var/log/audit/audit.log. For example: type=AVC msg=audit(1435940872.438:47126): avc: denied { execute } for pid=19711 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file In order to rectify this problem, please use the workaround as mentioned below on all the servers: Step1: # cat mypolicy.te policy_module(mypolicy, 1.0) require{ type glusterd_t; } mount_domtrans_showmount(glusterd_t) Step2: # make -f /usr/share/selinux/devel/Makefile Compiling targeted mypolicy module /usr/bin/checkmodule: loading policy configuration from tmp/mypolicy.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/mypolicy.mod Creating targeted mypolicy.pp policy package rm tmp/mypolicy.mod.fc tmp/mypolicy.mod Step3: # semodule -i mypolicy.pp |
| Rejy M Cyriac | 2015-08-03 05:44:47 UTC | Status | MODIFIED | ON_QA |
| Fixed In Version | selinux-policy-3.7.19-279.el6_7.1 | |||
| Apeksha | 2015-08-03 11:57:30 UTC | Status | ON_QA | VERIFIED |
| Jiri Herrmann | 2015-08-04 14:17:14 UTC | CC | jherrman | |
| Doc Text | As per the bug, you will find AVC's with denied flag for showmount command in /var/log/audit/audit.log. For example: type=AVC msg=audit(1435940872.438:47126): avc: denied { execute } for pid=19711 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file In order to rectify this problem, please use the workaround as mentioned below on all the servers: Step1: # cat mypolicy.te policy_module(mypolicy, 1.0) require{ type glusterd_t; } mount_domtrans_showmount(glusterd_t) Step2: # make -f /usr/share/selinux/devel/Makefile Compiling targeted mypolicy module /usr/bin/checkmodule: loading policy configuration from tmp/mypolicy.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/mypolicy.mod Creating targeted mypolicy.pp policy package rm tmp/mypolicy.mod.fc tmp/mypolicy.mod Step3: # semodule -i mypolicy.pp | Attempting to set up Gluster storage on an NFS-Ganesha cluster previously failed due to an Access Vector Cache (AVC) denial error. The responsible SELinux policy has been adjusted to allow handling of volumes mounted by NFS-Ganesha, and the described failure no longer occurs. | ||
| Doc Type | Known Issue | Bug Fix | ||
| Vivek Agarwal | 2015-08-10 07:45:52 UTC | Status | VERIFIED | CLOSED |
| Resolution | --- | CURRENTRELEASE | ||
| Last Closed | 2015-08-10 03:45:52 UTC |
Back to bug 1239017