Bug 1214258

The socket is mislabeled:

# restorecon -Rv /var/run/glusterd.socket

Correct label for the socket is:

# matchpathcon /var/run/glusterd.socket 
/var/run/glusterd.socket	system_u:object_r:glusterd_var_run_t:s0
#

and allow rule for the operation is present:

# sesearch -s glusterd_t -t glusterd_var_run_t -c sock_file -p unlink -A -C
Found 1 semantic av rules:
   allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 

#

These AVC's are generated only after we manually try to start 'glusterd' after the rpm installation. Based on my testing, what I understand is that, if we do a proper clean-up after rpm installation, '/var/run/glusterd.socket' file wouldn't exist in the system and throw these AVC's after we start glusterd manually. 

The 'glusterd.socket' file is first created by rpm scriptlet as part of a start and stop operation done in the post upgrade script to re-generate the configuration files. During the process it gets a wrong label of "var_run_t" as we don't have filename transition rules in RHEL-6. So the write access [1] and unlink access [2] required on the sock_file '/var/run/glusterd.socket' while manually starting 'glusterd' is prevented by SELinux, which is what we see in AVC's. However, the thing to be noted is that, on starting 'glusterd' using '#service glusterd start' or '#/etc/init.d/glusterd start', it actually regains the right label of "glusterd_var_run_t". 

So the fix that you posted in [3] is actually trying to do a 'restorecon' on the leftover 'glusterd.socket' file to avoid these AVC's. But instead, if we actually do a proper clean-up post rpm installation, this file that leads to this situation, wouldn't exists at all. Please go through my comment and see if my understand is correct and it makes sense. Meanwhile, i'll open a new BZ for cleaning up the left-over socket file!

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1214253

[2] https://bugzilla.redhat.com/show_bug.cgi?id=1214258

[3] https://bugzilla.redhat.com/show_bug.cgi?id=1210404


Additional Info:
#####
[root@dhcp42-246 run]# rpm -qa |grep gluster
glusterfs-fuse-3.7.0-2.el6rhs.x86_64
glusterfs-libs-3.7.0-2.el6rhs.x86_64
glusterfs-client-xlators-3.7.0-2.el6rhs.x86_64
glusterfs-api-3.7.0-2.el6rhs.x86_64
glusterfs-3.7.0-2.el6rhs.x86_64
glusterfs-cli-3.7.0-2.el6rhs.x86_64
glusterfs-server-3.7.0-2.el6rhs.x86_64

[root@dhcp42-246 run]# /etc/init.d/glusterd status
glusterd is stopped

[root@dhcp42-246 run]# ls -lZ glusterd.socket 
srwxr-xr-x. root root unconfined_u:object_r:var_run_t:s0 glusterd.socket

[root@dhcp42-246 run]# /etc/init.d/glusterd start
Starting glusterd:                                         [  OK  ]

[root@dhcp42-246 run]# ls -lZ glusterd.socket 
srwxr-xr-x. root root unconfined_u:object_r:glusterd_var_run_t:s0 glusterd.socket

[root@dhcp42-246 run]# /etc/init.d/glusterd status
glusterd (pid  5278) is running...
#####

-Prasanth

Anand/Prasanth,

Can we mark this bug duplicate of 1223185 ?

Anand,

If you are sure that this BZ is also fixed by the patch provided in Bug 1224639, you may have to move this BZ to ON_QA with the FIV for further QE verification.

Thanks,
Prasanth

Yes ... This patch https://code.engineering.redhat.com/gerrit/#/c/49604/ fixes the this bug. Fix is available in next build.

Verified as fixed in glusterfs-3.7.1-3.el6rhs.x86_64

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1495.html