Bug 1214258
Summary: | [SELinux] [glusterfsd] SELinux is preventing /usr/sbin/glusterfsd from unlink access on the sock_file /var/run/glusterd.socket | ||
---|---|---|---|
Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Prasanth <pprakash> |
Component: | glusterd | Assignee: | Anand Nekkunti <anekkunt> |
Status: | CLOSED ERRATA | QA Contact: | Prasanth <pprakash> |
Severity: | urgent | Docs Contact: | |
Priority: | high | ||
Version: | rhgs-3.1 | CC: | amainkar, amukherj, anekkunt, annair, asrivast, dwalsh, kaushal, lvrabec, mgrepl, mmalik, nlevinki, nsathyan, plautrba, pprakash, pvrabec, rcyriac, rhs-bugs, ssekidde, vagarwal, vbellur |
Target Milestone: | Alpha | ||
Target Release: | RHGS 3.1.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-29 04:41:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1224639 | ||
Bug Blocks: | 1202842, 1212796 |
Description
Prasanth
2015-04-22 10:08:43 UTC
The socket is mislabeled: # restorecon -Rv /var/run/glusterd.socket Correct label for the socket is: # matchpathcon /var/run/glusterd.socket /var/run/glusterd.socket system_u:object_r:glusterd_var_run_t:s0 # and allow rule for the operation is present: # sesearch -s glusterd_t -t glusterd_var_run_t -c sock_file -p unlink -A -C Found 1 semantic av rules: allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; # These AVC's are generated only after we manually try to start 'glusterd' after the rpm installation. Based on my testing, what I understand is that, if we do a proper clean-up after rpm installation, '/var/run/glusterd.socket' file wouldn't exist in the system and throw these AVC's after we start glusterd manually. The 'glusterd.socket' file is first created by rpm scriptlet as part of a start and stop operation done in the post upgrade script to re-generate the configuration files. During the process it gets a wrong label of "var_run_t" as we don't have filename transition rules in RHEL-6. So the write access [1] and unlink access [2] required on the sock_file '/var/run/glusterd.socket' while manually starting 'glusterd' is prevented by SELinux, which is what we see in AVC's. However, the thing to be noted is that, on starting 'glusterd' using '#service glusterd start' or '#/etc/init.d/glusterd start', it actually regains the right label of "glusterd_var_run_t". So the fix that you posted in [3] is actually trying to do a 'restorecon' on the leftover 'glusterd.socket' file to avoid these AVC's. But instead, if we actually do a proper clean-up post rpm installation, this file that leads to this situation, wouldn't exists at all. Please go through my comment and see if my understand is correct and it makes sense. Meanwhile, i'll open a new BZ for cleaning up the left-over socket file! [1] https://bugzilla.redhat.com/show_bug.cgi?id=1214253 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1214258 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1210404 Additional Info: ##### [root@dhcp42-246 run]# rpm -qa |grep gluster glusterfs-fuse-3.7.0-2.el6rhs.x86_64 glusterfs-libs-3.7.0-2.el6rhs.x86_64 glusterfs-client-xlators-3.7.0-2.el6rhs.x86_64 glusterfs-api-3.7.0-2.el6rhs.x86_64 glusterfs-3.7.0-2.el6rhs.x86_64 glusterfs-cli-3.7.0-2.el6rhs.x86_64 glusterfs-server-3.7.0-2.el6rhs.x86_64 [root@dhcp42-246 run]# /etc/init.d/glusterd status glusterd is stopped [root@dhcp42-246 run]# ls -lZ glusterd.socket srwxr-xr-x. root root unconfined_u:object_r:var_run_t:s0 glusterd.socket [root@dhcp42-246 run]# /etc/init.d/glusterd start Starting glusterd: [ OK ] [root@dhcp42-246 run]# ls -lZ glusterd.socket srwxr-xr-x. root root unconfined_u:object_r:glusterd_var_run_t:s0 glusterd.socket [root@dhcp42-246 run]# /etc/init.d/glusterd status glusterd (pid 5278) is running... ##### -Prasanth Anand/Prasanth, Can we mark this bug duplicate of 1223185 ? Anand, If you are sure that this BZ is also fixed by the patch provided in Bug 1224639, you may have to move this BZ to ON_QA with the FIV for further QE verification. Thanks, Prasanth Yes ... This patch https://code.engineering.redhat.com/gerrit/#/c/49604/ fixes the this bug. Fix is available in next build. Verified as fixed in glusterfs-3.7.1-3.el6rhs.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html |