Bug 1209101

Summary: nfs-ganesha: present setup required selinux be disabled
Product: [Retired] nfs-ganesha Reporter: Saurabh <saujain>
Component: MainNFSDAssignee: Frank Filz <ffilz>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: develCC: kkeithle, mmadhusu, mzywusko, ndevos, nsathyan, pprakash, saujain, sgraf, skoduri
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: glusterfs-3.7dev-0.994 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-30 13:14:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186580    

Description Saurabh 2015-04-06 05:56:04 UTC 
Description of problem:
Present setup of nfs-ganesha HA requires that selinux be disabled. 
This should be the case, as in future moving to have selinux running on storage servers. So it will be helpful if we can overcome this problem of disabling selinux for component
Comment 1 Kaleb KEITHLEY 2015-04-07 10:05:33 UTC 
HA works fine with selinux=enforcing.

Please ignore the step 2 in the instructions that say disable selinux.
Comment 2 Saurabh 2015-04-22 03:07:23 UTC 
when i try to bring the nfs-ganesha HA setup while selinux is enforced, I get the below messages in /var/log/messages

Also, the HA cluster does not come up,

Apr 21 04:18:07 nfs2 rpc.statd[29055]: Version 1.2.3 starting
Apr 21 04:18:07 nfs2 sm-notify[29057]: Version 1.2.3 starting
Apr 21 04:18:12 nfs2 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /var/lib/glusterd/hooks/1/start/post/S29CTDBsetup.sh. For complete SELinux messages. run sealert -l 084f4c51-b71e-424e-a9cc-71c10a568062
Apr 21 04:18:12 nfs2 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /var/lib/glusterd/hooks/1/start/post/S29CTDBsetup.sh. For complete SELinux messages. run sealert -l 084f4c51-b71e-424e-a9cc-71c10a568062
Apr 21 04:18:12 nfs2 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /bin/hostname. For complete SELinux messages. run sealert -l 56b24c20-2a21-457f-bf2e-9a1eb8fad36f
Apr 21 04:18:12 nfs2 setroubleshoot: SELinux is preventing /bin/hostname from execute_no_trans access on the file /bin/hostname. For complete SELinux messages. run sealert -l ed5a5ff7-db47-493a-ad36-23e0af7ac4ca
Apr 21 04:19:23 nfs2 rpc.statd[29194]: Version 1.2.3 starting
Apr 21 04:19:23 nfs2 sm-notify[29195]: Version 1.2.3 starting
Apr 21 04:43:26 nfs2 kernel: warning: `ganesha.nfsd' uses 32-bit capabilities (legacy support in use)
Apr 21 04:43:26 nfs2 rpc.statd[29194]: Received SM_UNMON_ALL request from nfs2 while not monitoring any hosts
Apr 21 04:43:30 nfs2 setroubleshoot: SELinux is preventing /sbin/consoletype from execute access on the file /sbin/consoletype. For complete SELinux messages. run sealert -l c711bc35-b4a0-48f2-a340-cf3cb6d46926
Apr 21 04:43:30 nfs2 setroubleshoot: SELinux is preventing /sbin/consoletype from execute access on the file /sbin/consoletype. For complete SELinux messages. run sealert -l c711bc35-b4a0-48f2-a340-cf3cb6d46926
Apr 21 04:43:30 nfs2 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /etc/rc.d/init.d/nfs-ganesha. For complete SELinux messages. run sealert -l da02410b-d964-4094-b7dc-4cbf7e06316f
Apr 21 04:43:31 nfs2 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /etc/rc.d/init.d/nfs-ganesha. For complete SELinux messages. run sealert -l da02410b-d964-4094-b7dc-4cbf7e06316f
Apr 21 04:43:31 nfs2 setroubleshoot: SELinux is preventing /usr/bin/ganesha.nfsd from write access on the sock_file /var/run/dbus/system_bus_socket. For complete SELinux messages. run sealert -l 8d65833a-c11b-43ac-a397-ecfe848b656b
Apr 21 04:43:31 nfs2 setroubleshoot: SELinux is preventing /usr/bin/ganesha.nfsd from write access on the sock_file /var/run/dbus/system_bus_socket. For complete SELinux messages. run sealert -l 8d65833a-c11b-43ac-a397-ecfe848b656b
Apr 21 04:43:31 nfs2 setroubleshoot: SELinux is preventing /usr/bin/ganesha.nfsd from write access on the sock_file /var/run/rpcbind.sock. For complete SELinux messages. run sealert -l a6d00967-d6c6-4624-bea4-82e98d39e290


Also, even if I put the selinux to permissiv mode, things still do not work.
Comment 3 Stanislav Graf 2015-04-22 06:48:14 UTC 
(In reply to Saurabh from comment #2)
[...]
> Also, even if I put the selinux to permissiv mode, things still do not work.

Maybe this is not a Selinux issue then.
Comment 4 Kaleb KEITHLEY 2015-04-22 13:23:29 UTC 
Maybe clone this and assign the clone to Samba team. some of these messages are CTDB. We don't use CTDB.

The rest are ganesha, e.g. /var/run/dbus/system_bus_socket and rpcbind.
Comment 5 Kaleb KEITHLEY 2015-04-22 19:27:40 UTC 
FWIW, this is puzzling because I have selinux set to enforcing, ganesha.nfsd runs, and I don't have any of those messages in my /var/log/messages.
Comment 6 Stanislav Graf 2015-05-03 17:32:15 UTC 
(In reply to Stanislav Graf from comment #3)
> (In reply to Saurabh from comment #2)
> [...]
> > Also, even if I put the selinux to permissiv mode, things still do not work.
> 
> Maybe this is not a Selinux issue then.

Any update on this?
Comment 7 Prasanth 2015-05-12 13:27:00 UTC 
Saurabh,

Could you please re-test this and confirm that SELinux is not causing the issue here as mentioned by Kaleb?
Comment 8 Saurabh 2015-05-13 07:07:47 UTC 
I was able to see nfs-ganesha getting spawned on all intended nodes once, selinux is enforced. 
Although we have issue  i.e volume export fails when selinux is enabled, for that I have filed this BZ 1220999.