Bug 1230371

Summary: [SELinux]: [Snapshot]: SELinux policy updates required in RHEL-6.7 for gluster-snapshot
Product: Red Hat Enterprise Linux 6 Reporter: Prasanth <pprakash>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.7CC: ashah, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pprakash, pvrabec, rjoseph, senaik, ssekidde, storage-qa-internal, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-276.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1230202 Environment:
Last Closed: 2015-07-22 07:14:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1230202    
Bug Blocks: 1212796, 1223636    

Description Prasanth 2015-06-10 17:54:46 UTC 
+++ This bug was initially created as a clone of Bug #1230202 +++

Description of problem:
=======================
During snapshot creation in RHEL 6.7 set up, found the below AVC messages in audit.log 

[root@inception audit]# grep "AVC" /var/log/audit/audit.log
type=AVC msg=audit(1433936948.287:2749): avc:  denied  { getattr } for  pid=22981 comm="xfs_db" path="/dev/dm-65" dev=devtmpfs ino=5511669 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1433936948.288:2750): avc:  denied  { read } for  pid=22981 comm="xfs_db" name="dm-65" dev=devtmpfs ino=5511669 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1433936948.288:2750): avc:  denied  { open } for  pid=22981 comm="xfs_db" name="dm-65" dev=devtmpfs ino=5511669 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1433936948.288:2751): avc:  denied  { write } for  pid=22981 comm="xfs_db" name="dm-65" dev=devtmpfs ino=5511669 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1433936948.288:2752): avc:  denied  { ioctl } for  pid=22981 comm="xfs_db" path="/dev/dm-65" dev=devtmpfs ino=5511669 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

rpm -qa |grep selinux
selinux-policy-3.7.19-275.el6.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-targeted-3.7.19-275.el6.noarch

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[root@inception audit]# cat audit.log |audit2allow 

#============= glusterd_t ==============
#!!!! The source type 'glusterd_t' can write to a 'blk_file' of the following type:
# glusterd_brick_t

allow glusterd_t fixed_disk_device_t:blk_file { read write getattr open ioctl };

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

gluster --version :

glusterfs-3.7.1-1.el6rhs.x86_64


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-06-10 08:32:20 EDT ---

This bug is automatically being proposed for Red Hat Gluster Storage 3.1.0 by setting the release flag 'rhgs‑3.1.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.
Comment 1 Milos Malik 2015-06-11 08:33:09 UTC 
The gluster daemon wants to run xfs_db tool. Unfortunately, xfs_db is labeled bin_t instead of fsadm_exec_t, therefore xfs_db process does not run in correct doman.
Comment 2 Milos Malik 2015-06-11 10:52:27 UTC 
If you run following commands before your tests:

# semanage fcontext -a -t fsadm_exec_t /usr/sbin/xfs_db
# restorecon -Rv /usr/sbin

does it help?
Comment 6 Anil Shah 2015-06-15 13:54:52 UTC 
Created snapshot with latest policy and could not see avc logs.

[root@darkknightrises audit]# rpm -qa | grep selinux
selinux-policy-targeted-3.7.19-276.el6.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-276.el6.noarch
libselinux-python-2.0.94-5.8.el6.x86_64

[root@darkknightrises audit]# rpm -q policycoreutils
policycoreutils-2.0.83-24.el6.x86_64
Comment 9 Miroslav Grepl 2015-06-23 17:29:10 UTC 
*** Bug 1234298 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2015-07-22 07:14:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html