Bug 1242412
| Summary: | [SELinux] posix: mknod with file type S_IFSOCK fails | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Saurabh <saujain> | ||||||||||
| Component: | posix | Assignee: | Pranith Kumar K <pkarampu> | ||||||||||
| Status: | CLOSED WONTFIX | QA Contact: | Rahul Hinduja <rhinduja> | ||||||||||
| Severity: | high | Docs Contact: | |||||||||||
| Priority: | unspecified | ||||||||||||
| Version: | rhgs-3.1 | CC: | amukherj, kkeithle, mgrepl, mmalik, mzywusko, ndevos, nlevinki, pprakash, rcyriac, rgowdapp, rhs-bugs, sankarshan, skoduri, storage-qa-internal, vbellur | ||||||||||
| Target Milestone: | --- | Keywords: | ZStream | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | x86_64 | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2018-04-16 18:00:52 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
Created attachment 1051352 [details]
nfs11 ganesha.log
Created attachment 1051354 [details]
nfs11 ganesha-gfapi.log
Created attachment 1051355 [details]
nfs11 brick log
From the brick log --> [2015-07-13 14:51:26.192714] E [MSGID: 113022] [posix.c:1165:posix_mknod] 0-vol3-posix: mknod on /rhs/brick1/d1r13/tree/socket failed [Permission denied] Brick process denies creation of the socket files. Same test passes on our setup (which has selinux disabled) - [root@192 nfs4.0]# ./testserver.py -v --outfile ~/pynfs.run.1 --maketree 192.168.122.205:/vol1 --showomit --rundeps MKSOCK MKSOCK st_create.testSocket : RUNNING MKSOCK st_create.testSocket : PASS ************************************************** MKSOCK st_create.testSocket : PASS ************************************************** Command line asked for 1 of 645 tests Of those: 0 Skipped, 0 Failed, 0 Warned, 1 Passed [root@192 nfs4.0]# Will check after enabling selinux. I see following AVCs
type=SYSCALL msg=audit(07/13/2015 22:33:25.715:103557) : arch=x86_64 syscall=mknod success=no exit=-13(Permission denied) a0=0x7f3801d3b720 a1=socket,750 a2=0x0 a3=0x7f382703f048 items=0 ppid=1 pid=9046 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=12060 comm=glusterfsd exe=/usr/sbin/glusterfsd subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(07/13/2015 22:33:25.715:103557) : avc: denied { create } for pid=9046 comm=glusterfsd name=sock scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=sock_file
----
type=SYSCALL msg=audit(07/13/2015 22:33:57.661:103558) : arch=x86_64 syscall=mknod success=no exit=-13(Permission denied) a0=0x7f3801d3b720 a1=socket,750 a2=0x0 a3=0x7f382703f048 items=0 ppid=1 pid=9046 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=12060 comm=glusterfsd exe=/usr/sbin/glusterfsd subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(07/13/2015 22:33:57.661:103558) : avc: denied { create } for pid=9046 comm=glusterfsd name=sock scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file
[root@nfs11 fuse_mnt]#
[root@nfs11 fuse_mnt]#
[root@nfs11 fuse_mnt]# ls -RZ /rhs/brick1 | grep tmp_brick
drwxr-xr-x. root root unconfined_u:object_r:glusterd_brick_t:s0 tmp_brick
/rhs/brick1/tmp_brick:
[root@nfs11 fuse_mnt]#
Request Milos to look at the logs and update. Thanks!
Created attachment 1051624 [details]
audit.log
[root@nfs11 ~]# gluster vol info tmp_vol Volume Name: tmp_vol Type: Distribute Volume ID: 6c9c840d-b576-4443-adea-9d9f58eceb41 Status: Started Number of Bricks: 1 Transport-type: tcp Bricks: Brick1: 10.70.46.8:/rhs/brick1/tmp_brick Options Reconfigured: nfs.disable: on performance.readdir-ahead: on cluster.enable-shared-storage: enable nfs-ganesha: enable [root@nfs11 ~]# [root@nfs11 ~]# ls -RZ /rhs/brick1/tmp_brick/ /rhs/brick1/tmp_brick/: -rwxr-xr-x. root root unconfined_u:object_r:glusterd_brick_t:s0 fops-sanity -rw-r--r--. root root unconfined_u:object_r:glusterd_brick_t:s0 fops-sanity.c [root@nfs11 ~]# The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem: created a volume of 6x2 type, kept the configuration of the volume as default, mean to say that acls disabled and root_squash disabled. Executed pynfs MKSOCK test and it failed Version-Release number of selected component (if applicable): glusterfs-3.7.1-9.el6rhs.x86_64 nfs-ganesha-2.2.0-5.el6rhs.x86_64 How reproducible: always Steps to Reproduce: 1.create a volume of type 6x2, start it 2. configure nfs-ganesha, mount the volume with vers=4 3. execute pynfs with MKSOCK as parameter, time ./testserver.py -v --outfile ~/pynfs.run.2 --maketree 10.70.44.92:/vol3 --showomit --rundeps MKSOCK > /export/pynfs-results-mksock-4.log Actual results: result of step3, [root@rhsauto009 mnt1]# cat /export/pynfs-results-mksock-4.log WARNING - could not create /vol3/tree/socket MKSOCK st_create.testSocket : RUNNING MKSOCK st_create.testSocket : FAILURE CREATE in empty dir should return NFS4_OK, instead got NFS4ERR_ACCESS ************************************************** MKSOCK st_create.testSocket : FAILURE CREATE in empty dir should return NFS4_OK, instead got NFS4ERR_ACCESS ************************************************** Command line asked for 1 of 655 tests Of those: 0 Skipped, 1 Failed, 0 Warned, 0 Passed Expected results: MKSOCK should pass Additional info: