Bug 1162125
| Summary: | glusterd can't create /var/run/glusterd.socket when SELinux is in enforcing mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nils Breunese <nils> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | bugs, dwalsh, gluster-bugs, jthottan, lvrabec, mgrepl, mmalik, plautrba, pvrabec, sasundar |
| Target Milestone: | pre-dev-freeze | Keywords: | Triaged |
| Target Release: | 7.2 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-14.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:46:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The rebased selinux-policy in RHEL-7.1 already contains the correct labels: # rpm -qa selinux-policy\* selinux-policy-targeted-3.13.1-8.el7.noarch selinux-policy-sandbox-3.13.1-8.el7.noarch selinux-policy-minimum-3.13.1-8.el7.noarch selinux-policy-devel-3.13.1-8.el7.noarch selinux-policy-doc-3.13.1-8.el7.noarch selinux-policy-mls-3.13.1-8.el7.noarch selinux-policy-3.13.1-8.el7.noarch # matchpathcon /var/run/glusterd.socket /var/run/glusterd.socket system_u:object_r:glusterd_var_run_t:s0 # matchpathcon /var/run/glusterd /var/run/glusterd system_u:object_r:glusterd_var_run_t:s0 # Any chance the fix for glusterd.socket could be backported to 7.0? As far as I know RHEL-7.1 isn't even in beta yet. Here is the output from "restorecon -Rv /var /run" when selinux-policy-3.13.1-12.el7 is installed: restorecon reset /run/gluster context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0 restorecon reset /run/gluster/snaps context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0 I'm going to check the new policy. # rpm -qa selinux-policy\* selinux-policy-sandbox-3.13.1-13.el7.noarch selinux-policy-3.13.1-13.el7.noarch selinux-policy-mls-3.13.1-13.el7.noarch selinux-policy-targeted-3.13.1-13.el7.noarch selinux-policy-devel-3.13.1-13.el7.noarch selinux-policy-doc-3.13.1-13.el7.noarch selinux-policy-minimum-3.13.1-13.el7.noarch # rpm -qa gluster\* glusterfs-api-3.6.0.32-1.el7rhs.x86_64 glusterfs-cli-3.6.0.32-1.el7rhs.x86_64 glusterfs-3.6.0.32-1.el7rhs.x86_64 glusterfs-libs-3.6.0.32-1.el7rhs.x86_64 glusterfs-fuse-3.6.0.32-1.el7rhs.x86_64 glusterfs-server-3.6.0.32-1.el7rhs.x86_64 # Each time I delete the /var/run/gluster directory, the gluster server creates the directory again. Unfortunately, manual run of restorecon changes the label on that directory: # restorecon -Rv /var/run/gluster restorecon reset /run/gluster context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0 restorecon reset /run/gluster/snaps context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0 # The automated TC does not produce any AVCs. The gluster server also runs without apparent errors. We define /var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) So you see /var/run/gluster directory, right? Yes. For the first time I thought about a typo error, but the 'd' letter is really missing: # rpm -qf /var/run/gluster glusterfs-3.6.0.32-1.el7rhs.x86_64 # Using the packages from http://download.gluster.org/pub/gluster/glusterfs/LATEST/EPEL.repo/epel-7/x86_64/ I also see the directory /var/run/gluster is used: # rpm -qf /var/run/gluster glusterfs-3.6.1-1.el7.x86_64 There is no /var/run/glusterd. commit c19bf130b7c9b1dce504771aa2f9954fa3486fb0
Author: Miroslav Grepl <mgrepl>
Date: Thu Dec 4 14:17:46 2014 +0100
Add support for /var/run/gluster.
(In reply to Miroslav Grepl from comment #13) > commit c19bf130b7c9b1dce504771aa2f9954fa3486fb0 > Author: Miroslav Grepl <mgrepl> > Date: Thu Dec 4 14:17:46 2014 +0100 > > Add support for /var/run/gluster. It's nice that 3.13.1 will support /var/run/gluster, but this bug report is about /var/run/glusterd.socket and selinux-policy* 3.12.1. (In reply to Nils Breunese from comment #14) > It's nice that 3.13.1 will support /var/run/gluster, but this bug report is > about /var/run/glusterd.socket and selinux-policy* 3.12.1. selinux-policy-3.12.1-153.el7_0.11 is shipped in z-stream for RHEL-7.0. If you want to fix this problem in RHEL-7.0 channels then you should propose this bug for RHEL-7.0.z. This bug report is part of RHEL-7.1 errata for selinux-policy. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |
Description of problem: After installing the glusterfs-server RPM packages via yum on EL7 with SELinux in enforcing mode glusterd tries to start, but fails. Changing the SELinux for /var/run/glusterd.socket to glusterd_var_run_t fixes this. Version-Release number of selected component (if applicable): 3.6.1-1.el7.x86_64 How reproducible: Always. Steps to Reproduce: 1. Enable SELinux in enforcing mode on EL7 2. Intall glusterfs-server Actual results: glusterd fails to start and setroubleshoot e-mails the following information (we have it set up to do so): ---- SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that glusterfsd should be allowed write access on the sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep glusterd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:glusterd_t:s0 Target Context unconfined_u:object_r:var_run_t:s0 Target Objects [ sock_file ] Source glusterd Source Path /usr/sbin/glusterfsd Port <Unknown> Host <hostname> Source RPM Packages glusterfs-3.5.2-1.el7.x86_64 glusterfs-3.6.1-1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.el7_0.11.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <hostname> Platform Linux <hostname> 3.10.0-123.9.2.el7.x86_64 #1 SMP Tue Oct 28 18:05:26 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-11-10 11:01:52 CET Last Seen 2014-11-10 11:01:52 CET Local ID 648efa6e-4a07-4cea-9e57-bf35a19af460 Raw Audit Messages type=AVC msg=audit(1415613712.270:36592): avc: denied { write } for pid=14251 comm="glusterd" name="glusterd.socket" dev="tmpfs" ino=16965404 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1415613712.270:36592): arch=x86_64 syscall=connect success=no exit=EACCES a0=c a1=7fffcabfe970 a2=6e a3=7fffcabfe8ec items=0 ppid=14250 pid=14251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) Hash: glusterd,glusterd_t,var_run_t,sock_file,write ---- Expected results: glusterd should start without any problems. Additional info: We use the following workaround, setting the SELinux type of /var/run/glusterd.socket to glusterd_var_run_t, instead of the default var_run_t that is used for files in /var/run: ---- # semanage fcontext --add --type glusterd_var_run_t /var/run/glusterd.socket # restorecon /var/run/glusterd.socket # systemctl start glusterd ----