Bug 1015819

Summary: SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_socket
Product: [Community] GlusterFS Reporter: Michael Cronenworth <mike>
Component: coreAssignee: Ric Wheeler <rwheeler>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: barumuga, dominick.grift, dwalsh, gluster-bugs, joe, jonathansteffan, lvrabec, mgrepl, ndevos, silas
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-11 19:15:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Cronenworth 2013-10-05 20:36:42 UTC 
After the latest selinux-policy I cannot start glusterd.

Attempting to start the service results in an infinite loop that fills the server logs with denials. I have to kill glusterd in order to prevent the hard disk from filling up.

GlusterFS is a Red Hat technology. SELinux is a Red Hat technology. It's obvious no one at Red Hat is running with SELinux enabled. Please get your GlusterFS team on the same page.

/var/log/messages:
Oct  5 15:29:23 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l b25d7d98-c628-44d2-899d-c22b3bd3fe67

[michael@balthasar ~]$ sudo sealert -l b25d7d98-c628-44d2-899d-c22b3bd3fe67
SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_socket .

*****  Plugin bind_ports (92.2 confidence) suggests  *************************

If you want to allow /usr/sbin/glusterfsd to bind to network port 1957
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 1957
    where PORT_TYPE is one of the following: agentx_port_t, apertus_ldp_port_t, audit_port_t, auth_port_t, bgp_port_t, chronyd_port_t, comsat_port_t, dhcpc_port_t, dhcpd_port_t, dns_port_t, echo_port_t, efs_port_t, epmap_port_t, fingerd_port_t, flash_port_t, ftp_data_port_t, ftp_port_t, gluster_port_t, gopher_port_t, hi_reserved_port_t, http_port_t, inetd_child_port_t, innd_port_t, ipmi_port_t, ipp_port_t, isakmp_port_t, kerberos_admin_port_t, kerberos_password_port_t, kerberos_port_t, kprop_port_t, ktalkd_port_t, ldap_port_t, lmtp_port_t, mountd_port_t, nfs_port_t, nmbd_port_t, ntp_port_t, openshift_port_t, pop_port_t, portmap_port_t, printer_port_t, reserved_port_t, rlogin_port_t, rlogind_port_t, rndc_port_t, router_port_t, rsh_port_t, rsync_port_t, rtsp_port_t, rwho_port_t, smbd_port_t, smtp_port_t, snmp_port_t, spamd_port_t, ssh_port_t, svrloc_port_t, swat_port_t, syslogd_port_t, telnetd_port_t, tftp_port_t, time_port_t, uucpd_port_t, whois_port_t, xdmcp_port_t, zarafa_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests  ***************************

If you believe that glusterfsd should be allowed name_bind access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep glusterd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:glusterd_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        glusterd
Source Path                   /usr/sbin/glusterfsd
Port                          1957
Host                          balthasar.cchtml.com
Source RPM Packages           glusterfs-3.4.0-8.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.8.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     balthasar.cchtml.com
Platform                      Linux balthasar.cchtml.com 3.11.2-201.fc19.x86_64
                              #1 SMP Fri Sep 27 19:20:55 UTC 2013 x86_64 x86_64
Alert Count                   340
First Seen                    2013-09-30 11:38:10 CDT
Last Seen                     2013-10-05 14:22:58 CDT
Local ID                      b25d7d98-c628-44d2-899d-c22b3bd3fe67

Raw Audit Messages
type=AVC msg=audit(1381000978.786:999): avc:  denied  { name_bind } for  pid=1368 comm="glusterd" src=1957 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1381000978.786:999): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7f69d6543960 a2=10 a3=1 items=0 ppid=1 pid=1368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null)

Hash: glusterd,glusterd_t,unreserved_port_t,tcp_socket,name_bind
Comment 1 Daniel Walsh 2013-10-07 13:35:19 UTC 
Is port 1957 a standard port for gluster?
Comment 2 Michael Cronenworth 2013-10-07 14:36:22 UTC 
Glusterd and glusterfsd use random ports for local and loopback communication. Port 1957 just happened to be the random port used on this startup attempt.
Comment 3 Daniel Walsh 2013-10-07 16:07:26 UTC 
0f57b3320fff2b8f37d79610178ec27ada2ae3ac fixes this in git.
Comment 4 Lukas Vrabec 2013-10-08 10:45:05 UTC 
back ported to f19.
Comment 5 Michael Cronenworth 2013-10-16 02:40:52 UTC 
This issue was resolved with selinux-policy-3.12.1-74.9.fc19. Thanks.

With the component change I'm not sure if you want to close this bug now or not. I'll leave it up to you.