Bug 1230370

Summary: [SELinux]: [geo-rep]: SELinux policy updates required in RHEL-6.7 for geo-rep
Product: Red Hat Enterprise Linux 6 Reporter: Prasanth <pprakash>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.7CC: aavati, csaba, dwalsh, lvrabec, mgrepl, mmalik, nlevinki, plautrba, pprakash, pvrabec, rhinduja, rhs-bugs, ssekidde, storage-qa-internal, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1230129 Environment:
Last Closed: 2015-07-22 07:14:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1230129    
Bug Blocks: 1212796, 1223636    

Description Prasanth 2015-06-10 17:53:10 UTC 
+++ This bug was initially created as a clone of Bug #1230129 +++

Description of problem:
=======================

On a cleaned RHEL6.7 cluster for master and slave, ran geo-rep create/start and found the following AVC in audit.log:

[root@georep1 audit]# grep "AVC" /var/log/audit/audit.log
type=AVC msg=audit(1433949908.995:1460): avc:  denied  { execute } for  pid=13164 comm="peer_gsec_creat" name="ssh-keygen" dev=dm-0 ino=1185093 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
type=AVC msg=audit(1433949908.995:1461): avc:  denied  { execute_no_trans } for  pid=13166 comm="peer_gsec_creat" path="/usr/bin/ssh-keygen" dev=dm-0 ino=1185093 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
type=AVC msg=audit(1433949935.007:1462): avc:  denied  { create } for  pid=13644 comm="python" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=rawip_socket
type=AVC msg=audit(1433949935.007:1462): avc:  denied  { net_raw } for  pid=13644 comm="python" capability=13  scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability
type=AVC msg=audit(1433949935.007:1463): avc:  denied  { bind } for  pid=13644 comm="python" lport=1 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=rawip_socket
type=AVC msg=audit(1433949935.007:1463): avc:  denied  { node_bind } for  pid=13644 comm="python" saddr=10.70.46.96 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket
[root@georep1 audit]# 
[root@georep1 audit]# 
[root@georep1 audit]# cat audit.log |audit2allow


#============= glusterd_t ==============
allow glusterd_t node_t:rawip_socket node_bind;
allow glusterd_t self:capability net_raw;
allow glusterd_t self:rawip_socket { bind create };
allow glusterd_t ssh_keygen_exec_t:file { execute execute_no_trans };
[root@georep1 audit]# 


[root@georep1 audit]# rpm -qa | grep selinux
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-targeted-3.7.19-275.el6.noarch
libselinux-python-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-275.el6.noarch
[root@georep1 audit]# 

gluster version:
===============

glusterfs-3.7.1-1.el6rhs.x86_64

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-06-10 06:07:51 EDT ---

This bug is automatically being proposed for Red Hat Gluster Storage 3.1.0 by setting the release flag 'rhgs‑3.1.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.
Comment 1 Milos Malik 2015-06-11 08:57:58 UTC 
The gluster daemon wants to run ssh-keygen. Unfortunately, the policy is missing allow rules for executing it, therefore ssh-keygen process does not run in correct domain.
Comment 9 errata-xmlrpc 2015-07-22 07:14:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html