Bug 1052817
Summary: | SELinux prevents glusterfsd from accessing a local directory | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Shanzhi Yu <shyu> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Michal Trunecka <mtruneck> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | bili, dyuan, ebenes, gsun, mmalik, mzhan, shyu |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-117.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 10:31:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Shanzhi Yu
2014-01-14 06:07:21 UTC
sorry,please refer to this audit log # grep gluster /var/log/audit/audit.log type=AVC msg=audit(1389681621.988:7057): avc: denied { mounton } for pid=2399 comm="glusterfs" path="/var/lib/libvirt/images/netfs" dev="sda1" ino=203763571 scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=dir type=SYSCALL msg=audit(1389681621.988:7057): arch=c000003e syscall=165 success=no exit=-13 a0=7f264d4e2b50 a1=7f264d4e2680 a2=7f2649e94028 a3=0 items=0 ppid=2398 pid=2399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterfs" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1389681621.990:7058): avc: denied { mounton } for pid=2404 comm="fusermount-glus" path="/var/lib/libvirt/images/netfs" dev="sda1" ino=203763571 scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=dir type=SYSCALL msg=audit(1389681621.990:7058): arch=c000003e syscall=165 success=no exit=-13 a0=7fb4210e9240 a1=7fb4210e8070 a2=7fb4210e92a0 a3=6 items=0 ppid=2399 pid=2404 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fusermount-glus" exe="/usr/bin/fusermount-glusterfs" subj=system_u:system_r:glusterd_t:s0-s0:c0.c1023 key=(null) (In reply to Shanzhi Yu from comment #2) > sorry,please refer to this audit log > > # grep gluster /var/log/audit/audit.log > type=AVC msg=audit(1389681621.988:7057): avc: denied { mounton } for > pid=2399 comm="glusterfs" path="/var/lib/libvirt/images/netfs" dev="sda1" > ino=203763571 scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=dir > type=SYSCALL msg=audit(1389681621.988:7057): arch=c000003e syscall=165 > success=no exit=-13 a0=7f264d4e2b50 a1=7f264d4e2680 a2=7f2649e94028 a3=0 > items=0 ppid=2398 pid=2399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterfs" > exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0-s0:c0.c1023 > key=(null) > type=AVC msg=audit(1389681621.990:7058): avc: denied { mounton } for > pid=2404 comm="fusermount-glus" path="/var/lib/libvirt/images/netfs" > dev="sda1" ino=203763571 > scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=dir > type=SYSCALL msg=audit(1389681621.990:7058): arch=c000003e syscall=165 > success=no exit=-13 a0=7fb4210e9240 a1=7fb4210e8070 a2=7fb4210e92a0 a3=6 > items=0 ppid=2399 pid=2404 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fusermount-glus" > exe="/usr/bin/fusermount-glusterfs" > subj=system_u:system_r:glusterd_t:s0-s0:c0.c1023 key=(null) So these AVC come from virsh pool-create-as gluster --type netfs --source-host 10.66.106.20 --source-path gluster-vol1 --source-format glusterfs --target /var/lib/libvirt/images/netfs/ Shanzhi, could you please confirm it works fine with the current policy? (3.12.1-117.el7 or newer) (In reply to Michal Trunecka from comment #4) > Shanzhi, could you please confirm it works fine with the current policy? > (3.12.1-117.el7 or newer) Michal, I'd like to tell you it works fine with 3.12.1-117,so I will change it to VERIFIED status. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |