Bug 1052817
| Summary: | SELinux prevents glusterfsd from accessing a local directory | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Shanzhi Yu <shyu> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Michal Trunecka <mtruneck> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | bili, dyuan, ebenes, gsun, mmalik, mzhan, shyu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-117.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 10:31:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
sorry,please refer to this audit log
# grep gluster /var/log/audit/audit.log
type=AVC msg=audit(1389681621.988:7057): avc: denied { mounton } for pid=2399 comm="glusterfs" path="/var/lib/libvirt/images/netfs" dev="sda1" ino=203763571 scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=dir
type=SYSCALL msg=audit(1389681621.988:7057): arch=c000003e syscall=165 success=no exit=-13 a0=7f264d4e2b50 a1=7f264d4e2680 a2=7f2649e94028 a3=0 items=0 ppid=2398 pid=2399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterfs" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1389681621.990:7058): avc: denied { mounton } for pid=2404 comm="fusermount-glus" path="/var/lib/libvirt/images/netfs" dev="sda1" ino=203763571 scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=dir
type=SYSCALL msg=audit(1389681621.990:7058): arch=c000003e syscall=165 success=no exit=-13 a0=7fb4210e9240 a1=7fb4210e8070 a2=7fb4210e92a0 a3=6 items=0 ppid=2399 pid=2404 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fusermount-glus" exe="/usr/bin/fusermount-glusterfs" subj=system_u:system_r:glusterd_t:s0-s0:c0.c1023 key=(null)
(In reply to Shanzhi Yu from comment #2) > sorry,please refer to this audit log > > # grep gluster /var/log/audit/audit.log > type=AVC msg=audit(1389681621.988:7057): avc: denied { mounton } for > pid=2399 comm="glusterfs" path="/var/lib/libvirt/images/netfs" dev="sda1" > ino=203763571 scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=dir > type=SYSCALL msg=audit(1389681621.988:7057): arch=c000003e syscall=165 > success=no exit=-13 a0=7f264d4e2b50 a1=7f264d4e2680 a2=7f2649e94028 a3=0 > items=0 ppid=2398 pid=2399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterfs" > exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0-s0:c0.c1023 > key=(null) > type=AVC msg=audit(1389681621.990:7058): avc: denied { mounton } for > pid=2404 comm="fusermount-glus" path="/var/lib/libvirt/images/netfs" > dev="sda1" ino=203763571 > scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=dir > type=SYSCALL msg=audit(1389681621.990:7058): arch=c000003e syscall=165 > success=no exit=-13 a0=7fb4210e9240 a1=7fb4210e8070 a2=7fb4210e92a0 a3=6 > items=0 ppid=2399 pid=2404 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fusermount-glus" > exe="/usr/bin/fusermount-glusterfs" > subj=system_u:system_r:glusterd_t:s0-s0:c0.c1023 key=(null) So these AVC come from virsh pool-create-as gluster --type netfs --source-host 10.66.106.20 --source-path gluster-vol1 --source-format glusterfs --target /var/lib/libvirt/images/netfs/ Shanzhi, could you please confirm it works fine with the current policy? (3.12.1-117.el7 or newer) (In reply to Michal Trunecka from comment #4) > Shanzhi, could you please confirm it works fine with the current policy? > (3.12.1-117.el7 or newer) Michal, I'd like to tell you it works fine with 3.12.1-117,so I will change it to VERIFIED status. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: Selinux prevent glusterfs access local directory Version-Release number of selected component (if applicable): selinux-policy-3.12.1-115.el7.noarch libvirt-1.1.1-18.el7.x86_64 qemu-kvm-rhev-1.5.3-34.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1.prepare glusterfs server and volume #gluster volume info gluster-vol1 Volume Name: gluster-vol1 Type: Distribute Volume ID: 32fe2d1d-7a2a-45d9-8a96-faab68253edd Status: Started Number of Bricks: 2 Transport-type: tcp Bricks: Brick1: 10.66.106.20:/mnt/gluster-volume1 Brick2: 10.66.106.22:/mnt/gluster-volume1 Options Reconfigured: server.allow-insecure: on 2.create an netfs type pool #mkdir /var/lib/libvirt/images/netfs #ll -Z /var/lib/libvirt/images|grep netfs drwxr-xr-x. root root system_u:object_r:nfs_t:s0 netfs # virsh pool-create-as gluster --type netfs --source-host 10.66.106.20 --source-path gluster-vol1 --source-format glusterfs --target /var/lib/libvirt/images/netfs/ error: Failed to create pool gluster error: internal error: Child process (/usr/bin/mount -t glusterfs 10.66.106.20:gluster-vol1 -o direct-io-mode=1 /var/lib/libvirt/images/netfs) unexpected exit status 1: 2014-01-13 03:33:09.963+0000: 6226: debug : virFileClose:90 : Closed fd 26 2014-01-13 03:33:09.963+0000: 6226: debug : virFileClose:90 : Closed fd 28 2014-01-13 03:33:09.963+0000: 6226: debug : virFileClose:90 : Closed fd 22 /usr/bin/fusermount-glusterfs: mount failed: Permission denied 3.#grep glusterfs /var/log/audit/audit.log type=AVC msg=audit(1389679054.415:6890): avc: denied { mounton } for pid=32442 comm="glusterfs" path="/var/lib/libvirt/images/netfs" dev="0:35" ino=9508905 scontext=system_u:system_r:glusterd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1389679054.415:6890): arch=c000003e syscall=165 success=no exit=-13 a0=7fb021cdbb50 a1=7fb021cdb680 a2=7fb01e869028 a3=0 items=0 ppid=32441 pid=32442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterfs" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1389679054.417:6891): arch=c000003e syscall=165 success=no exit=-13 a0=7f9a762e6240 a1=7f9a762e5070 a2=7f9a762e62a0 a3=6 items=0 ppid=32442 pid=32447 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fusermount-glus" exe="/usr/bin/fusermount-glusterfs" subj=system_u:system_r:glusterd_t:s0-s0:c0.c1023 key=(null) Actual results: Expected results: should succeed creating pool in step 2 Additional info: workaround: # grep glusterfs /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp or disable selinux I can run "mount -t glusterfs 10.66.106.20:gluster-vol1 -o direct-io-mode=1 /var/lib/libvirt/images/netfs" with root,there is no permission error.