Bug 1222845

Summary: [SELinux] [nfs-ganesha]: Volume export fails when SELinux is in Enforcing mode - RHEL-6.7
Product: Red Hat Enterprise Linux 6 Reporter: Prasanth <pprakash>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.6CC: dwalsh, jherrman, lvrabec, mgrepl, mmadhusu, mmalik, nlevinki, plautrba, pprakash, pvrabec, rhs-bugs, saujain, skoduri, ssekidde, storage-qa-internal, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-269.el6 Doc Type: Bug Fix
Doc Text:
Previously, migrating a Gluster volume on an NFS-Ganesha cluster failed when SELinux was in enforcing mode. The responsible SELinux policy has been corrected, and the described migration now proceeds successfully.
 Story Points: ---
Clone Of: 1220999
: 1242476 (view as bug list) Environment:
Last Closed: 2015-07-22 07:14:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1220999    
Bug Blocks: 1212796, 1242476    

Description Prasanth 2015-05-19 09:51:13 UTC 
+++ This bug was initially created as a clone of Bug #1220999 +++

Description of problem:
The volume set option uses 'gluster vol set volname ganesha.enable on' sends a DBus signal to export/unexport volume.
When SElinux is enabled, the connection is not established. 

12/05/2015 16:05:21 : epoch 5551d769 : nfs1 : ganesha.nfsd-8462[main] gsh_dbus_pkginit BUS :CRIT bus_bus_get failed (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus"))
12/05/2015 16:05:21 : epoch 5551d769 : nfs1 : ganesha.nfsd-8462[main] gsh_dbus_register_path BUS :CRIT bus_connection_register_object_path called with no DBUS connection

Version-Release number of selected component (if applicable):
glusterfs-3.7.0beta1-0.69.git1a32479.el6.x86_64
nfs-ganesha-2.2.0-0.el6.x86_64
How reproducible:

Steps to Reproduce:
1. create a volume of 6x2 type
2. do nfs-ganesha setup
3. use gluster volume set <volname> ganesha.enable on to export the volume
4. showmount -e localhost

Actual results:
step 4 fails, as volume is not mounted by step 3

issue as mentioned in description section

Expected results:
Selinux should be not a detrrent in exporting a volume

Additional info:
Comment 1 Milos Malik 2015-05-19 09:56:26 UTC 
Please provide the output of following command:

# ausearch -m user_avc -i -ts today
Comment 2 Meghana 2015-05-19 10:00:14 UTC 
These are the specific errors reported in /var/log/audit.log

type=AVC msg=audit(1431429023.964:11105): avc:  denied  { write } for  pid=24252 comm="dbus-send" name="system_bus_socket" dev=dm-0 ino=1177367 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1431429023.964:11105): avc:  denied  { connectto } for  pid=24252 comm="dbus-send" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1431429023.978:11106): user pid=1553 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=24252 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


I'll attach the entire log files as an attachment.
Comment 5 Meghana 2015-05-19 10:12:07 UTC 
Oh sorry, that flag also got overwritten. Milos Malik, is there anything else
you would need? The machine has SElinux as permissive right now.

ausearch -m user_avc -i -ts today
<no matches>
Comment 6 Milos Malik 2015-05-19 10:26:32 UTC 
Thanks, the attached audit.log file seems to be sufficient.
Comment 18 errata-xmlrpc 2015-07-22 07:14:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html