Bug 1158622

Summary: SELinux denial when mounting glusterfs nfs volume when using base-port option
Product: [Community] GlusterFS Reporter: Jason Brooks <jbrooks>
Component: nfsAssignee: Niels de Vos <ndevos>
Status: CLOSED WORKSFORME QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.5.2CC: bugs, gluster-bugs, jbrooks, ndevos
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-15 22:25:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Brooks 2014-10-29 18:03:59 UTC 
Description of problem:

I'm using gluster to provide storage for ovirt, and running ovirt and gluster on the same machine. Due to a port conflict between gluster and libvirt live migration, I use the base-port option described at https://bugzilla.redhat.com/show_bug.cgi?id=987555, and switch the base port from 49152 to 50152.

However, when attempting to mount a gluster volume via nfs on the same machine hosting the volume, I get an selinux denial, and the mount fails w/ file not found. If I leave the base-port option commented out, the mount proceeds as expected.

Putting selinux into permissive, or setting "setsebool -P nis_enabled 1" allows mount to proceed.

from the audit.log:

type=AVC msg=audit(1414599671.391:578): avc:  denied  { name_connect } for  pid=3717 comm="glusterfs" dest=50153 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):

glusterfs 3.5.2-1.el7 on CentOS 7
Comment 1 Niels de Vos 2014-11-04 12:25:44 UTC 
I highly recommend to not mount a Gluster volume over NFS on a Gluster Server. You can only use NFS on a Gluster Server if you disable the locking. This obviously is quite risky as it can cause data corruption.

If this really is what you want to do, we can figure out which ports the selinux-policy allows for the Gluster processes. But, I doubt that the standard policy should get adjusted to allow any port that can be set by using the base-port option. This likely is something for which you need to modify/extend the policy locally. (I'm not sure why "setsebool -P nis_enabled 1" would make a difference.)

Please let me know how you want to continue with this, and what your expectations are. Thanks!
Comment 2 Jason Brooks 2014-11-13 18:32:11 UTC 
This is no longer an issue for me, as the oVirt project appears to have worked around the gluster port / migration port conflict, so I don't need to make this base port change.

For posterity, setting Lock=False in /etc/nfsmount.conf, as we discussed over irc, allows gluster's nfs server to start reliably even while mounting the gluster volume over nfs on the gluster server.
Comment 3 Niels de Vos 2014-11-15 22:25:42 UTC 
Thanks for the update, closing as WORKSFORYOU.