Bug 1022535

Summary: Default context for GlusterFS /run sockets is wrong
Product: [Community] GlusterFS Reporter: Michael Cronenworth <mike>
Component: coreAssignee: bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: mainlineCC: bugs, dominick.grift, dpati, dwalsh, gluster-bugs, joe, jonathansteffan, kkeithle, lvrabec, mgrepl, ndevos, silas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-08 12:18:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Cronenworth 2013-10-23 13:26:09 UTC
Description of problem:
GlusterFS correctly sets its own context for its /run sockets, but the default SELinux policy does not apply the correct context.

After `systemctl start glusterd`:
srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/06a07b78154f984c50b209b37780c261.socket
srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/24e3f05817a37ea8e9cb4099a4f90199.socket
srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/df5a960a6952fe0b486451daf1dfc08c.socket

After `restorecon -Rv /run`:
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/06a07b78154f984c50b209b37780c261.socket
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/24e3f05817a37ea8e9cb4099a4f90199.socket
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/df5a960a6952fe0b486451daf1dfc08c.socket

The resulting context change causes dozens of SELinux denial messages to flood the system log.

Oct 23 08:22:07 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file 24e3f05817a37ea8e9cb4099a4f90199.socket. For complete SELinux messages. run sealert -l 33823016-e4ca-47a1-a78c-9d521ff12904


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-74.10.fc19.noarch


How reproducible: Always


Steps to Reproduce:
1. Start glusterfs.
2. Run restorecon on /run
3. Watch /var/log/messages

Actual results: Context set incorrectly. SELinux denials.


Expected results: Context left alone. No SELinux denials.

Comment 1 Miroslav Grepl 2013-10-24 13:02:18 UTC
Lukas, 
please back port glusterd policy from F20/rawhide.

Comment 2 Lukas Vrabec 2013-10-24 14:26:56 UTC
back ported.

Comment 3 Fedora Update System 2013-11-08 09:07:36 UTC
selinux-policy-3.12.1-74.12.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.12.fc19

Comment 4 Michael Cronenworth 2013-11-08 16:15:47 UTC
This is not fixed.

$ sudo restorecon -Rv /run/*socket
restorecon reset /run/06a07b78154f984c50b209b37780c261.socket context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0
restorecon reset /run/24e3f05817a37ea8e9cb4099a4f90199.socket context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0
restorecon reset /run/df5a960a6952fe0b486451daf1dfc08c.socket context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0

$ rpm -qa | grep selinux-policy
selinux-policy-targeted-3.12.1-74.12.fc19.noarch
selinux-policy-doc-3.12.1-74.12.fc19.noarch
selinux-policy-devel-3.12.1-74.12.fc19.noarch
selinux-policy-3.12.1-74.12.fc19.noarch

Comment 5 Fedora Update System 2013-11-09 03:36:16 UTC
Package selinux-policy-3.12.1-74.12.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.12.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20980/selinux-policy-3.12.1-74.12.fc19
then log in and leave karma (feedback).

Comment 6 Daniel Walsh 2013-11-11 17:21:47 UTC
We need gluster to move this socket into its own subdirectory to make the labeling work.  Since the name of the socket is random, there is no way for us to tell the labeling system that this should be labeled gluster_var_run_t.

 /run/06a07b78154f984c50b209b37780c261.socket

The only thing would could do is say everything that ends in .socket in /run will be owned by gluster, which seems a little extreme.

If it used 

/run/gluster/06a07b78154f984c50b209b37780c261.socket

Then our job becomes easier.

Comment 7 Michael Cronenworth 2013-12-17 21:14:29 UTC
Reassigning so this feature request is looked at.

Comment 9 Kaleb KEITHLEY 2015-12-08 12:18:19 UTC
Gluster sockets are now in {,var}/run/gluster, restorecon sets the correct selinux context.