Bug 1215885
Summary: | [SELinux] SMB: WIth selinux in enforcing mode the mount to a gluster volume on cifs fails with i/o error. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | surabhi <sbhaloth> | ||||
Component: | samba | Assignee: | Jose A. Rivera <jarrpa> | ||||
Status: | CLOSED ERRATA | QA Contact: | surabhi <sbhaloth> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | rhgs-3.1 | CC: | annair, asrivast, mgrepl, mmalik, nlevinki, pprakash, rcyriac, rhs-smb, rjoseph, sbhaloth, vagarwal | ||||
Target Milestone: | --- | ||||||
Target Release: | RHGS 3.1.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | SELinux | ||||||
Fixed In Version: | selinux-policy-3.7.19-271.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-07-29 04:42:21 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1221929 | ||||||
Bug Blocks: | 1202842, 1212796 | ||||||
Attachments: |
|
Description
surabhi
2015-04-28 05:18:15 UTC
Surabhi, Thanks for sharing your test system. I've gone through the logs and did some basic troubleshooting around this issue and was able to narrow down to the issues given below that caused the mount to fail: #### SELinux is preventing /usr/sbin/smbd from read access on the file SELinux is preventing /usr/sbin/smbd from name_connect access on the tcp_socket #### To unblock you temporarily, I've generated a couple of local policy modules and applied on your system. After activating those policy packages [1] and [2], I was able to successfully mount the volume. See below: ######## [root@dhcp ]# semodule -i mypol2.pp [root@dhcp ]# mount -t cifs 10.16.159.154:/gluster-vol2 /mnt/samba/vol2 WARNING: using NFS syntax for mounting CIFS shares is deprecated and will be removed in cifs-utils-6.0. Please migrate to UNC syntax. Password: [root@dhcp ]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_dhcp159154-lv_root 43G 8.1G 33G 20% / tmpfs 16G 0 16G 0% /dev/shm /dev/vda1 477M 64M 389M 14% /boot /dev/mapper/RHS_vg1-RHS_lv1 98G 560M 97G 1% /rhs/brick1 10.16.159.154:/gluster-vol2 389G 3.2G 386G 1% /mnt/samba/vol2 ######## Local policy modules: [1] ----------- module mypol1 1.0; require { type sysctl_net_t; type gluster_port_t; type smbd_t; class tcp_socket name_connect; class dir search; } #============= smbd_t ============== allow smbd_t gluster_port_t:tcp_socket name_connect; allow smbd_t sysctl_net_t:dir search; ----------- [2] ----------- module mypol2 1.0; require { type sysctl_net_t; type smbd_t; type virt_migration_port_t; class tcp_socket name_connect; class file read; } #============= smbd_t ============== allow smbd_t sysctl_net_t:file read; allow smbd_t virt_migration_port_t:tcp_socket name_connect; ----------- Please try running your rest of your tests in the same system and do let me know if you are able to proceed further or it fails elsewhere. PS: Please note that these are just temporary local policy modules generated just to unblock your testing and hence please don't consider it as a permanent solution until you hear from the devel and SELinux teams. You should be definitely getting a proper fix for this issue soon from the samba devel or SELinux team. Thanks, Prasanth The local policy modules are OK, but I would like to see the AVCs which contain virt_migration_port_t and sysctl_net_t. Could you attach them? Also could you create a policy bug for them? The AVC logs are as follows: type=AVC msg=audit(1428576324.441:349): avc: denied { name_connect } for pid=14176 comm="smbd" dest=49152 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:virt_migration_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1428649951.586:1250): avc: denied { search } for pid=29022 comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir Creating policy bug. Created attachment 1025720 [details]
AVC's for virt_migration and sysctl_net
(In reply to Miroslav Grepl from comment #4) > Also could you create a policy bug for them? I meant this comment. Created BZ 1221929. Let me know if you need any other info in the bug. As per selinux dev the fix for this is to be done while building rpm for samba for rhgs. The following boolean is to be set: set boolean Setsebool -P samba_load_libgfapi 1. Install RHEl6.7, Install downstream gluster rpms, Install latest samba rpms's install selinux latest rpms: selinux-policy-3.7.19-271.el6 start a volume , mount it on cifs. There are no AVC's seen related to smb and mount succeeded. Marking the BZ to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html |