Bug 1034489

Summary: SELinux is preventing /usr/sbin/glusterfsd from 'create' accesses on the fifo_file fifo.
Product: [Community] GlusterFS Reporter: Eric Blake <eblake>
Component: coreAssignee: bugs <bugs>
Status: CLOSED EOL QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.4.1CC: barumuga, bugs, dominick.grift, dwalsh, eblake, gluster-bugs, joe, jonathansteffan, lvrabec, mgrepl, ndevos, silas
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:c58f64bb687c758715b19f4d512126ede742aa09bbd257544eb1f5ffaa5934e9
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-07 13:05:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Blake 2013-11-25 23:30:53 UTC 
Description of problem:
As root, I mounted a gluster partition (mount -t glusterfs localhost:/vol) and tried to create a FIFO (mkfifo fifo).  I'm not expecting it to succeed, but gluster should be clamping down on the attempt earlier on without relying on an AVC from SELinux as the last resort.
SELinux is preventing /usr/sbin/glusterfsd from 'create' accesses on the fifo_file fifo.

*****  Plugin file (47.5 confidence) suggests  *******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (47.5 confidence) suggests  *******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin catchall (6.38 confidence) suggests  ***************************

If you believe that glusterfsd should be allowed create access on the fifo fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep glusterfsd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:glusterd_t:s0
Target Context                system_u:object_r:file_t:s0
Target Objects                fifo [ fifo_file ]
Source                        glusterfsd
Source Path                   /usr/sbin/glusterfsd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           glusterfs-3.4.1-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.13.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.7-200.fc19.x86_64 #1 SMP Thu
                              Aug 15 23:19:45 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-11-25 13:36:35 MST
Last Seen                     2013-11-25 13:37:32 MST
Local ID                      304adb6b-7fbb-4405-9293-f5ac8737a632

Raw Audit Messages
type=AVC msg=audit(1385411852.9:5292): avc:  denied  { create } for  pid=32419 comm="glusterfsd" name="fifo" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=fifo_file


type=SYSCALL msg=audit(1385411852.9:5292): arch=x86_64 syscall=mknod success=no exit=EACCES a0=7f3d060a6b10 a1=11a4 a2=0 a3=2 items=0 ppid=1 pid=32419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=glusterfsd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null)

Hash: glusterfsd,glusterd_t,file_t,fifo_file,create

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.10.7-200.fc19.x86_64
type:           libreport
Comment 1 Eric Blake 2013-11-25 23:37:03 UTC 
Assigning to gluster, as I think SELinux was right to prevent this, but gluster shouldn't be causing an AVC in the first place (how is a FIFO supposed to work in a distributed file system?).
Comment 2 Niels de Vos 2015-05-17 21:58:34 UTC 
GlusterFS 3.7.0 has been released (http://www.gluster.org/pipermail/gluster-users/2015-May/021901.html), and the Gluster project maintains N-2 supported releases. The last two releases before 3.7 are still maintained, at the moment these are 3.6 and 3.5.

This bug has been filed against the 3,4 release, and will not get fixed in a 3.4 version any more. Please verify if newer versions are affected with the reported problem. If that is the case, update the bug with a note, and update the version if you can. In case updating the version is not possible, leave a comment in this bug report with the version you tested, and set the "Need additional information the selected bugs from" below the comment box to "bugs".

If there is no response by the end of the month, this bug will get automatically closed.
Comment 3 Kaleb KEITHLEY 2015-10-07 13:05:22 UTC 
GlusterFS 3.4.x has reached end-of-life.\n\nIf this bug still exists in a later release please reopen this and change the version or open a new bug.