Bug 1230129

Summary: [SELinux]: [geo-rep]: AVC logged in RHEL6.7 during geo-replication setup between master and slave volume
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Rahul Hinduja <rhinduja>
Component: geo-replicationAssignee: Bug Updates Notification Mailing List <rhs-bugs>
Status: CLOSED ERRATA QA Contact: Rahul Hinduja <rhinduja>
Severity: urgent Docs Contact:
Priority: urgent    
Version: rhgs-3.1CC: aavati, annair, csaba, mgrepl, mmalik, nlevinki, pprakash, rcyriac, vagarwal
Target Milestone: ---   
Target Release: RHGS 3.1.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-278.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1230370 (view as bug list) Environment:
Last Closed: 2015-07-29 05:00:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1202842, 1212796, 1223636, 1230370    

Description Rahul Hinduja 2015-06-10 10:07:50 UTC 
Description of problem:
=======================

On a cleaned RHEL6.7 cluster for master and slave, ran geo-rep create/start and found the following AVC in audit.log:

[root@georep1 audit]# grep "AVC" /var/log/audit/audit.log
type=AVC msg=audit(1433949908.995:1460): avc:  denied  { execute } for  pid=13164 comm="peer_gsec_creat" name="ssh-keygen" dev=dm-0 ino=1185093 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
type=AVC msg=audit(1433949908.995:1461): avc:  denied  { execute_no_trans } for  pid=13166 comm="peer_gsec_creat" path="/usr/bin/ssh-keygen" dev=dm-0 ino=1185093 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
type=AVC msg=audit(1433949935.007:1462): avc:  denied  { create } for  pid=13644 comm="python" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=rawip_socket
type=AVC msg=audit(1433949935.007:1462): avc:  denied  { net_raw } for  pid=13644 comm="python" capability=13  scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability
type=AVC msg=audit(1433949935.007:1463): avc:  denied  { bind } for  pid=13644 comm="python" lport=1 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=rawip_socket
type=AVC msg=audit(1433949935.007:1463): avc:  denied  { node_bind } for  pid=13644 comm="python" saddr=10.70.46.96 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket
[root@georep1 audit]# 
[root@georep1 audit]# 
[root@georep1 audit]# cat audit.log |audit2allow


#============= glusterd_t ==============
allow glusterd_t node_t:rawip_socket node_bind;
allow glusterd_t self:capability net_raw;
allow glusterd_t self:rawip_socket { bind create };
allow glusterd_t ssh_keygen_exec_t:file { execute execute_no_trans };
[root@georep1 audit]# 


[root@georep1 audit]# rpm -qa | grep selinux
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-targeted-3.7.19-275.el6.noarch
libselinux-python-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-275.el6.noarch
[root@georep1 audit]# 

gluster version:
===============

glusterfs-3.7.1-1.el6rhs.x86_64
Comment 6 Rahul Hinduja 2015-06-23 10:26:30 UTC 
Verified with build:

[root@georep1 scripts]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.7.19-278.el6.noarch
selinux-policy-3.7.19-278.el6.noarch
[root@georep1 scripts]# 


[root@georep1 scripts]# getenforce 
Enforcing
[root@georep1 scripts]# 


Ran the same case as mentioned in the description, AVC's mentioned in this bug are not logged. 

Some other AVC is logged for glusterd_t and logrotate_t  and they are tracked by the bug id 1234298.

Moving this bug to verified state
Comment 7 errata-xmlrpc 2015-07-29 05:00:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1495.html