Bug 1181111
| Summary: | [RHEL7.0][Gluster] Selinux prevents a creation of glusterfs domains | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ori Gofen <ogofen> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.0 | CC: | acanan, amureini, barumuga, bmcclain, danken, ecohen, gklein, iheim, jkurik, kparthas, lpeer, lsurette, lvrabec, mgrepl, mmalik, nobody, ogofen, plautrba, pvrabec, rbalakri, Rhev-m-bugs, sabose, scohen, snagar, ssekidde, tlavigne, tnisan, vbellur, yeylon, ylavi | |
| Target Milestone: | rc | Keywords: | Regression, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | gluster | |||
| Fixed In Version: | selinux-policy-3.13.1-16.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1177651 | |||
| : | 1185867 (view as bug list) | Environment: | ||
| Last Closed: | 2015-03-05 10:48:19 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1164308, 1164311, 1177651, 1185867 | |||
|
Comment 2
Miroslav Grepl
2015-01-12 12:11:08 UTC
# ausearch -m avc -m user_avc -m selinux_err -i -ts today (In reply to Miroslav Grepl from comment #2) > What AVC are you getting in permissive mode? from /var/log/messeges I've found avc: denied: Jan 12 17:22:03 purple-vds2 kernel: type=1400 audit(1421076123.001:23): avc: denied { name_connect } for pid=20026 comm="glusterfs" dest=49262 scontext=system_u:system_r:glusterd_t:s0-s0:c 0.c1023 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket that's in permissive mode ausearch -m avc -m user_avc -m selinux_err -i -ts today didn't prompt results #============= glusterd_t ============== #!!!! This avc is allowed in the current policy allow glusterd_t ephemeral_port_t:tcp_socket name_connect; What is your version of policy # rpm -q selinux-policy It seems that audit daemon is not running on your machine. # service auditd start When audit daemon is not running the only sources of audit records are dmesg and /var/log/messages. (In reply to Miroslav Grepl from comment #6) > #============= glusterd_t ============== > > #!!!! This avc is allowed in the current policy > allow glusterd_t ephemeral_port_t:tcp_socket name_connect; > > > What is your version of policy > > # rpm -q selinux-policy selinux-policy-sandbox-3.12.1-153.el7_0.13.noarch selinux-policy-targeted-3.12.1-153.el7_0.13.noarch selinux-policy-3.12.1-153.el7_0.13.noarch selinux-policy-doc-3.12.1-153.el7_0.13.noarch selinux-policy-devel-3.12.1-153.el7_0.13.noarch selinux-policy-minimum-3.12.1-153.el7_0.13.noarch selinux-policy-mls-3.12.1-153.el7_0.13.noarch Could you test it with latest RHEL7.1 policy builds? I believe it will work with them. (In reply to Miroslav Grepl from comment #9) > Could you test it with latest RHEL7.1 policy builds? I believe it will work > with them. Does not reproduce on 7.1 beta Miroslav, fyi, we need this fixed for rhev-3.5.0 which is scheduled to be released on top of rhel-7.0.z. (In reply to Dan Kenigsberg from comment #11) > Miroslav, fyi, we need this fixed for rhev-3.5.0 which is scheduled to be > released on top of rhel-7.0.z. In this case, we need to get this bugzilla to Modified state and ask for z-stream clone bug. Any news on when this will be released? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |