| Summary: | Multiple denials on GlusterFS service startup | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael Cronenworth <mike> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 18 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, mike | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-10-04 14:22:56 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Could you please attach raw AVC msgs? # ausearch -m avc I cannot now. Since creating the bug I have upgraded the system to Fedora 19. There are no SELinux alerts now. $ ls -lZ /run/*socket srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/06a07b78154f984c50b209b37780c261.socket srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/24e3f05817a37ea8e9cb4099a4f90199.socket srw-rw-rw-. root root system_u:object_r:apmd_var_run_t:s0 /run/acpid.socket srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/df5a960a6952fe0b486451daf1dfc08c.socket It appears the F18 policy doesn't have the same gluster context information as the F19 policy. |
Created attachment 796385 [details] gluster sealert messages Description of problem: # systemctl start glusterd /var/log/messages: Sep 11 08:35:27 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from unlink access on the sock_file 24e3f05817a37ea8e9cb4099a4f90199.socket. For complete SELinux messages. run sealert -l 07f482f6-dd21-434e-a4a4-13cd8743b1d3 Sep 11 08:35:27 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from search access on the directory net. For complete SELinux messages. run sealert -l 954dad5a-a478-4ebd-8f02-3d80cdc3ab69 Sep 11 08:35:31 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from read access on the file unix. For complete SELinux messages. run sealert -l 47717e3b-166e-4645-b534-e84a3de5d120 Version-Release number of selected component (if applicable): selinux-policy-3.11.1-103.fc18.noarch glusterfs-3.4.0-8.fc18.x86_64 Additional info: For the first denial about unlink access, I notice the socket file is created with one SELinux context, and restorecon wants to change it to a different context: After service start: $ ls -lZ /run/24e3f05817a37ea8e9cb4099a4f90199.socket srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/24e3f05817a37ea8e9cb4099a4f90199.socket After restorecon: $ ls -lZ /run/24e3f05817a37ea8e9cb4099a4f90199.socket srwxr-xr-x. root root system_u:object_r:var_run_t:s0 /run/24e3f05817a37ea8e9cb4099a4f90199.socket Restarting the service does not resolve the issue. The socket file is recreated with the glusterd_var_run_t context. Attaching sealert output of all denials.