Bug 1239017

Summary: [SELinux] [nfs-ganesha]: seeing avc denied error message for showmount, while doing a volume start - Rhel6.7
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Apeksha <akhakhar>
Component: nfs-ganeshaAssignee: Bug Updates Notification Mailing List <rhs-bugs>
Status: CLOSED CURRENTRELEASE QA Contact: Apeksha <akhakhar>
Severity: high Docs Contact:
Priority: high    
Version: rhgs-3.1CC: akhakhar, ashah, jherrman, mgrepl, mmalik, nlevinki, pprakash, rcyriac, senaik, sgraf, vagarwal
Target Milestone: ---   
Target Release: RHGS 3.1.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-279.el6_7.1 Doc Type: Bug Fix
Doc Text:
Attempting to set up Gluster storage on an NFS-Ganesha cluster previously failed due to an Access Vector Cache (AVC) denial error. The responsible SELinux policy has been adjusted to allow handling of volumes mounted by NFS-Ganesha, and the described failure no longer occurs.
 Story Points: ---
Clone Of:
: 1241386 1241400 (view as bug list) Environment:
Last Closed: 2015-08-10 07:45:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1241386, 1241400    
Bug Blocks: 1212796, 1216951    

Description Apeksha 2015-07-03 09:18:47 UTC 
Description of problem:
[selinux] [nfs-ganesha]: seeing avc error message denied for showmount, while doing a volume start - Rhel6.7

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-279.el6.noarch
glusterfs-3.7.1-7.el6rhs.x86_64
nfs-ganesha-2.2.0-3.el6rhs.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Set up ganesha cluster
2. Create a volume
3. Start the volume, you will see avc errors in audit.log

Actual results: avc errors for showmount, even without showmount command being called

Expected results:No avc errors


Additional info:

audit.log :

type=AVC msg=audit(1435940872.438:47126): avc:  denied  { execute } for  pid=19711 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435940872.438:47126): arch=c000003e syscall=21 success=yes exit=0 a0=26f97a0 a1=1 a2=0 a3=14 items=0 ppid=19709 pid=19711 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3660 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435940872.438:47127): avc:  denied  { execute_no_trans } for  pid=19711 comm="S31ganesha-star" path="/usr/sbin/showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
Comment 2 Prasanth 2015-07-03 09:21:51 UTC 
Apeksha, please attach the complete audit.log file to this BZ.
Comment 3 senaik 2015-07-03 12:49:08 UTC 
I see the following AVC s while testing Scheduler of Snapshots where we do a volume set operation to create shared storage. 

cat audit.log |audit2allow


#============= glusterd_t ==============
allow glusterd_t showmount_exec_t:file execute;



type=AVC msg=audit(1435907647.630:108317): avc:  denied  { execute } for  pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907647.630:108317): arch=c000003e syscall=21 success=no exit=-13 a0=1ad6340 a1=1 a2=7fff5456a4d0 a3=7fff5456a2f0 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907647.631:108318): avc:  denied  { execute } for  pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907647.631:108318): arch=c000003e syscall=59 success=no exit=-13 a0=1ad6340 a1=1ad6f80 a2=1ad8bb0 a3=7fff5456a410 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907647.631:108319): avc:  denied  { execute } for  pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907647.631:108319): arch=c000003e syscall=21 success=no exit=-13 a0=1ad6340 a1=1 a2=7fff5456a4f0 a3=7fff5456a410 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907679.087:108320): avc:  denied  { execute } for  pid=14957 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907679.087:108320): arch=c000003e syscall=21 success=no exit=-13 a0=175e9b0 a1=1 a2=7fff891a5c60 a3=7fff891a5ab0 items=0 ppid=14954 pid=14957 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907679.087:108321): avc:  denied  { execute } for  pid=14957 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907679.087:108321): arch=c000003e syscall=21 success=no exit=-13 a0=175a640 a1=1 a2=7fff891a
Comment 4 Milos Malik 2015-07-03 14:28:54 UTC 
# cat mypolicy.te
policy_module(mypolicy, 1.0)

require{
 type glusterd_t;
}

mount_domtrans_showmount(glusterd_t)
# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted mypolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/mypolicy.mod
Creating targeted mypolicy.pp policy package
rm tmp/mypolicy.mod.fc tmp/mypolicy.mod
# semodule -i mypolicy.pp
#
Comment 5 senaik 2015-07-04 08:39:47 UTC 
Followed Comment 4 and no AVC denials were reported in audit.log messages while testing Scheduler of Snapshots where we do a volume set operation to create shared storage
Comment 6 Anil Shah 2015-07-06 09:07:36 UTC 
Seen AVC failures while running quota beaker automation test cases.

Info: Searching AVC errors produced since 1435986242.98 (Sat Jul  4 10:34:02 2015)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 07/04/2015 10:34:02 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.6e7wZM 2>&1'
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.290:1607): arch=c000003e syscall=21 success=no exit=-13 a0=aa68b0 a1=1 a2=0 a3=14 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.290:1607): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.290:1608): arch=c000003e syscall=21 success=no exit=-13 a0=aa6160 a1=1 a2=0 a3=13 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.290:1608): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.291:1609): arch=c000003e syscall=59 success=no exit=-13 a0=aa6160 a1=aa6d40 a2=aa8a00 a3=20 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.291:1609): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.291:1610): arch=c000003e syscall=21 success=no exit=-13 a0=aa6160 a1=1 a2=0 a3=20 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.291:1610): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.6e7wZM | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.RKvgji 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-279.el6.noarch 

Since these are beaker automation test cases, work around will not work.
We need to have fix for this.
Comment 13 Prasanth 2015-07-09 06:14:44 UTC 
*** Bug 1241155 has been marked as a duplicate of this bug. ***
Comment 14 Apeksha 2015-07-09 07:01:03 UTC 
I am not seeing avc denied messages for showmount after using this workaround.
Comment 31 Apeksha 2015-07-27 11:48:49 UTC 
Filling DOC text as required.
Comment 33 Apeksha 2015-08-03 11:57:30 UTC 
I do not see any showmount AVC on latest rhs3.1 iso for rhel6.7 with selinux-policy-3.7.19-279.el6_7.1 while starting the ganesha volume