Bug 1242476

Summary: [SELinux] [nfs-ganesha]: Volume export fails when SELinux is in Enforcing mode - RHEL-7
Product: Red Hat Enterprise Linux 7 Reporter: Prasanth <pprakash>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.1CC: dwalsh, jherrman, jkurik, lvrabec, mgrepl, mmalik, nlevinki, plautrba, pprakash, pvrabec, rcyriac, rhs-bugs, saujain, skoduri, ssekidde, storage-qa-internal, tlavigne, vagarwal
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-31.el7 Doc Type: Bug Fix
Doc Text:
Previously, migrating a Gluster volume on an NFS-Ganesha cluster failed when SELinux was in enforcing mode. The responsible SELinux policy has been corrected, and the described migration now proceeds successfully.
 Story Points: ---
Clone Of: 1222845
: 1248658 (view as bug list) Environment:
Last Closed: 2015-11-19 10:39:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1220999, 1222845    
Bug Blocks: 1212796, 1242487, 1244274, 1248658    

Description Prasanth 2015-07-13 12:13:15 UTC 
+++ This bug was initially created as a clone of Bug #1222845 +++

+++ This bug was initially created as a clone of Bug #1220999 +++

Description of problem:
The volume set option uses 'gluster vol set volname ganesha.enable on' sends a DBus signal to export/unexport volume.
When SElinux is enabled, the connection is not established. 

12/05/2015 16:05:21 : epoch 5551d769 : nfs1 : ganesha.nfsd-8462[main] gsh_dbus_pkginit BUS :CRIT bus_bus_get failed (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus"))
12/05/2015 16:05:21 : epoch 5551d769 : nfs1 : ganesha.nfsd-8462[main] gsh_dbus_register_path BUS :CRIT bus_connection_register_object_path called with no DBUS connection

Version-Release number of selected component (if applicable):
glusterfs-3.7.0beta1-0.69.git1a32479.el6.x86_64
nfs-ganesha-2.2.0-0.el6.x86_64
How reproducible:

Steps to Reproduce:
1. create a volume of 6x2 type
2. do nfs-ganesha setup
3. use gluster volume set <volname> ganesha.enable on to export the volume
4. showmount -e localhost

Actual results:
step 4 fails, as volume is not mounted by step 3

issue as mentioned in description section

Expected results:
Selinux should be not a detrrent in exporting a volume

Additional info:

--- Additional comment from Milos Malik on 2015-05-19 05:56:26 EDT ---

Please provide the output of following command:

# ausearch -m user_avc -i -ts today

--- Additional comment from Meghana on 2015-05-19 06:00:14 EDT ---

These are the specific errors reported in /var/log/audit.log

type=AVC msg=audit(1431429023.964:11105): avc:  denied  { write } for  pid=24252 comm="dbus-send" name="system_bus_socket" dev=dm-0 ino=1177367 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1431429023.964:11105): avc:  denied  { connectto } for  pid=24252 comm="dbus-send" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1431429023.978:11106): user pid=1553 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=24252 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


I'll attach the entire log files as an attachment.

--- Additional comment from RHEL Product and Program Management on 2015-05-19 06:00:28 EDT ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Meghana on 2015-05-19 06:09:53 EDT ---



--- Additional comment from Meghana on 2015-05-19 06:12:07 EDT ---

Oh sorry, that flag also got overwritten. Milos Malik, is there anything else
you would need? The machine has SElinux as permissive right now.

ausearch -m user_avc -i -ts today
<no matches>

--- Additional comment from Milos Malik on 2015-05-19 06:26:32 EDT ---

Thanks, the attached audit.log file seems to be sufficient.

--- Additional comment from Miroslav Grepl on 2015-05-19 06:57:04 EDT ---

commit f90cd4ee1e7719b4230fe01b110c514f056b3489
Author: Miroslav Grepl <mgrepl>
Date:   Tue May 19 12:56:34 2015 +0200

    Allow glusterd to connect to /var/run/dbus/system_bus_socket.

--- Additional comment from Prasanth on 2015-05-19 08:48:55 EDT ---

(In reply to Miroslav Grepl from comment #7)
> commit f90cd4ee1e7719b4230fe01b110c514f056b3489
> Author: Miroslav Grepl <mgrepl>
> Date:   Tue May 19 12:56:34 2015 +0200
> 
>     Allow glusterd to connect to /var/run/dbus/system_bus_socket.

Miroslav, Is it possible to back-port the fixes to RHEL6.6 as RHGS3.1 would be based out of 6.6 or is it already been taken care of?

--- Additional comment from Miroslav Grepl on 2015-05-25 07:06:36 EDT ---

(In reply to Prasanth from comment #8)
> (In reply to Miroslav Grepl from comment #7)
> > commit f90cd4ee1e7719b4230fe01b110c514f056b3489
> > Author: Miroslav Grepl <mgrepl>
> > Date:   Tue May 19 12:56:34 2015 +0200
> > 
> >     Allow glusterd to connect to /var/run/dbus/system_bus_socket.
> 
> Miroslav, Is it possible to back-port the fixes to RHEL6.6 as RHGS3.1 would
> be based out of 6.6 or is it already been taken care of?

We need to get all acks and then you need to request z-stream bug.

--- Additional comment from Meghana on 2015-05-26 02:46:31 EDT ---

Hi, is a fix available for this? How and when can I test this for my use case
with NFS-Ganesha?

--- Additional comment from errata-xmlrpc on 2015-05-26 10:05:27 EDT ---

Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHBA-2015:20009-01
https://errata.devel.redhat.com/advisory/20009

--- Additional comment from Milos Malik on 2015-05-26 12:51:49 EDT ---

Based on results of the automated TC, the bug is fixed.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'rlImport 'selinux-policy/common''
:: [ 18:46:48 ] :: [ INFO    ] :: rlImport: Found 'selinux-policy/common', version '6' during upwards traversal
:: [ 18:46:48 ] :: [ INFO    ] :: rlImport: Will try to import selinux-policy/common from /root/selinux-policy/Library/common/lib.sh
setools-console-3.3.7-4.el6.x86_64
expect-5.44.1.15-5.el6_4.x86_64
policycoreutils-python-2.0.83-23.el6.x86_64
:: [   PASS   ] :: Command 'rlImport 'selinux-policy/common'' (Expected 0, got 0)
:: [   PASS   ] :: all required packages are really installed 
selinux-policy-3.7.19-269.el6.noarch
:: [   PASS   ] :: Checking for the presence of selinux-policy rpm 
:: [ 18:46:49 ] :: Package versions:
:: [ 18:46:49 ] ::   selinux-policy-3.7.19-269.el6.noarch
selinux-policy-targeted-3.7.19-269.el6.noarch
:: [   PASS   ] :: Checking for the presence of selinux-policy-targeted rpm 
:: [ 18:46:50 ] :: Package versions:
:: [ 18:46:50 ] ::   selinux-policy-targeted-3.7.19-269.el6.noarch
glusterfs-server-3.6.0.54-1.el6rhs.x86_64
:: [   PASS   ] :: Checking for the presence of glusterfs-server rpm 
:: [ 18:46:50 ] :: Package versions:
:: [ 18:46:50 ] ::   glusterfs-server-3.6.0.54-1.el6rhs.x86_64
glusterd is stopped
:: [ 18:46:51 ] :: [ INFO    ] :: using '/var/tmp/beakerlib-Dq0B8Cq/backup' as backup destination
:: [  BEGIN   ] :: Running 'setenforce 1'
:: [   PASS   ] :: Command 'setenforce 1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
:: [   PASS   ] :: Command 'sestatus' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'semodule -l | grep -i disabled'
rhts	2.0.1	Disabled
:: [   PASS   ] :: Command 'semodule -l | grep -i disabled' (Expected 0,1, got 0)
:: [ 18:46:52 ] :: Setting timestamp 'TIMESTAMP' [05/26/2015 18:46:52]

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1052817
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/var/lib/libvirt/images/netfs	system_u:object_r:virt_image_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/lib/libvirt/images/netfs should contain virt_image_t (Assert: expected 0, got 0)
:: [ 18:46:56 ] :: [ INFO    ] :: checking rule 'allow glusterd_t virt_image_t : dir { write setattr mounton }'
FILTERED RULES
Found 3 semantic av rules:
   allow glusterd_t non_security_file_type : dir mounton ; 
DT allow glusterd_t non_security_file_type : dir { ioctl read getattr lock search open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'setattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'mounton' is present (Assert: '0' should equal '0')
:: [ 18:46:58 ] :: [ INFO    ] :: checking rule 'allow glusterd_t virt_image_t : file { mounton }'
FILTERED RULES
Found 3 semantic av rules:
   allow glusterd_t non_security_file_type : file mounton ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'mounton' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1011963
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 18:46:59 ] :: [ INFO    ] :: checking rule 'allow xm_t tmp_t : dir { getattr search open read lock ioctl }'
FILTERED RULES
Found 3 semantic av rules:
   allow domain tmp_t : dir { getattr search open } ; 
   allow xm_t tmp_t : dir { ioctl read getattr lock search open } ; 
   allow domain base_file_type : dir { getattr search open } ; 
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'search' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'lock' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'ioctl' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#811304
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/usr/sbin/glusterfsd	system_u:object_r:glusterd_exec_t:s0
:: [   PASS   ] :: Result of matchpathcon /usr/sbin/glusterfsd should contain glusterd_exec_t (Assert: expected 0, got 0)
/var/log/glusterfs	system_u:object_r:glusterd_log_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/log/glusterfs should contain glusterd_log_t (Assert: expected 0, got 0)
/var/run/glusterd.pid	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/glusterd.pid should contain glusterd_var_run_t (Assert: expected 0, got 0)
:: [ 18:47:06 ] :: [ INFO    ] :: checking rule 'allow initrc_t glusterd_t : process { transition }'
FILTERED RULES
Found 3 semantic av rules:
   allow initrc_t glusterd_t : process { transition sigchld siginh } ; 
   allow unconfined_domain_type domain : process { fork sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate } ; 
   allow initrc_t domain : process { sigchld sigkill sigstop signull signal getsession getattr } ; 
:: [   PASS   ] ::   check permission 'transition' is present (Assert: '0' should equal '0')
:: [ 18:47:08 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_var_run_t : file { getattr open read write create unlink }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t glusterd_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow glusterd_t non_security_file_type : file mounton ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'unlink' is present (Assert: '0' should equal '0')
:: [ 18:47:10 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_log_t : file { getattr open read write create unlink append }'
FILTERED RULES
Found 5 semantic av rules:
   allow daemon logfile : file { ioctl getattr lock append open } ; 
   allow glusterd_t glusterd_log_t : file { ioctl create getattr setattr lock append open } ; 
   allow glusterd_t non_security_file_type : file mounton ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'unlink' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'append' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1052206
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/usr/sbin/glusterfsd	system_u:object_r:glusterd_exec_t:s0
:: [   PASS   ] :: Result of matchpathcon /usr/sbin/glusterfsd should contain glusterd_exec_t (Assert: expected 0, got 0)
/var/lib	system_u:object_r:var_lib_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/lib should contain var_lib_t (Assert: expected 0, got 0)
/var/lib/glusterd	system_u:object_r:glusterd_var_lib_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/lib/glusterd should contain glusterd_var_lib_t (Assert: expected 0, got 0)
/var/run	system_u:object_r:var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run should contain var_run_t (Assert: expected 0, got 0)
/var/run/glusterd.socket	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/glusterd.socket should contain glusterd_var_run_t (Assert: expected 0, got 0)
/var/run/glusterd.pid	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/glusterd.pid should contain glusterd_var_run_t (Assert: expected 0, got 0)
:: [ 18:47:22 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t var_lib_t : dir glusterd_var_lib_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t var_lib_t : dir glusterd_var_lib_t; 
:: [   PASS   ] ::   check permission 'glusterd_var_lib_t' is present (Assert: '0' should equal '0')
:: [ 18:47:23 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t var_run_t : file glusterd_var_run_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t var_run_t : file glusterd_var_run_t; 
:: [   PASS   ] ::   check permission 'glusterd_var_run_t' is present (Assert: '0' should equal '0')
:: [ 18:47:24 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t var_run_t : dir glusterd_var_run_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t var_run_t : dir glusterd_var_run_t; 
:: [   PASS   ] ::   check permission 'glusterd_var_run_t' is present (Assert: '0' should equal '0')
:: [ 18:47:25 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t var_run_t : sock_file glusterd_var_run_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t var_run_t : sock_file glusterd_var_run_t; 
:: [   PASS   ] ::   check permission 'glusterd_var_run_t' is present (Assert: '0' should equal '0')
:: [ 18:47:26 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_var_lib_t : sock_file { getattr open read write create unlink }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t glusterd_var_lib_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'unlink' is present (Assert: '0' should equal '0')
:: [ 18:47:28 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_var_run_t : sock_file { getattr open read write create unlink }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'unlink' is present (Assert: '0' should equal '0')
:: [ 18:47:29 ] :: [ INFO    ] :: checking rule 'allow glusterd_t var_lib_t : dir { read write add_name remove_name getattr open search }'
FILTERED RULES
Found 8 semantic av rules:
   allow glusterd_t var_lib_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow domain base_file_type : dir { getattr search open } ; 
   allow glusterd_t non_security_file_type : dir mounton ; 
   allow daemon var_lib_t : dir { getattr search open } ; 
DT allow glusterd_t non_security_file_type : dir { ioctl read getattr lock search open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ gluster_export_all_rw ]
EF allow daemon var_lib_t : dir { getattr search open } ; [ daemons_enable_cluster_mode ]
DT allow daemon var_lib_t : dir { getattr search open } ; [ daemons_enable_cluster_mode ]
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'add_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'remove_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'search' is present (Assert: '0' should equal '0')
:: [ 18:47:31 ] :: [ INFO    ] :: checking rule 'allow glusterd_t var_run_t : dir { read write add_name remove_name getattr open search }'
FILTERED RULES
Found 12 semantic av rules:
   allow glusterd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow domain base_file_type : dir { getattr search open } ; 
   allow domain var_run_t : dir { ioctl read getattr lock search open } ; 
   allow glusterd_t non_security_file_type : dir mounton ; 
   allow daemon var_run_t : dir { getattr search open } ; 
ET allow glusterd_t var_run_t : dir { getattr search open } ; [ allow_kerberos ]
DF allow glusterd_t var_run_t : dir { getattr search open } ; [ nscd_use_shm ]
ET allow glusterd_t var_run_t : dir { getattr search open } ; [ nscd_use_shm ]
DT allow glusterd_t non_security_file_type : dir { ioctl read getattr lock search open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ gluster_export_all_rw ]
EF allow daemon var_run_t : dir { getattr search open } ; [ daemons_enable_cluster_mode ]
DT allow daemon var_run_t : dir { getattr search open } ; [ daemons_enable_cluster_mode ]
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'add_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'remove_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'search' is present (Assert: '0' should equal '0')
:: [ 18:47:33 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_t : capability { fsetid kill }'
FILTERED RULES
Found 2 semantic av rules:
   allow glusterd_t glusterd_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid net_bind_service net_admin sys_ptrace sys_admin sys_resource } ; 
DT allow glusterd_t glusterd_t : capability net_bind_service ; [ allow_ypbind ]
:: [   PASS   ] ::   check permission 'fsetid' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'kill' is present (Assert: '0' should equal '0')
:: [ 18:47:35 ] :: [ INFO    ] :: checking rule 'allow glusterd_t rpcd_t : process { sigkill }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t rpcd_t : process { transition sigkill } ; 
:: [   PASS   ] ::   check permission 'sigkill' is present (Assert: '0' should equal '0')
:: [ 18:47:36 ] :: [ INFO    ] :: checking rule 'allow glusterd_t ssh_exec_t : file { getattr open read execute_no_trans }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t non_security_file_type : file mounton ; 
   allow glusterd_t ssh_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'execute_no_trans' is present (Assert: '0' should equal '0')
:: [ 18:47:37 ] :: [ INFO    ] :: checking rule 'allow glusterd_t rsync_exec_t : file { getattr open read execute_no_trans }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t rsync_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ; 
   allow glusterd_t non_security_file_type : file mounton ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'execute_no_trans' is present (Assert: '0' should equal '0')
:: [ 18:47:39 ] :: [ INFO    ] :: checking rule 'allow glusterd_t ldconfig_exec_t : file { getattr open read execute_no_trans }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t ldconfig_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ; 
   allow glusterd_t non_security_file_type : file mounton ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'execute_no_trans' is present (Assert: '0' should equal '0')
:: [ 18:47:41 ] :: [ INFO    ] :: checking rule 'allow glusterd_t mount_exec_t : file { getattr open read execute }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t non_security_file_type : file mounton ; 
   allow glusterd_t mount_exec_t : file { read getattr execute open } ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'execute' is present (Assert: '0' should equal '0')
:: [ 18:47:42 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t mount_exec_t : process mount_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t mount_exec_t : process mount_t; 
:: [   PASS   ] ::   check permission 'mount_t' is present (Assert: '0' should equal '0')
:: [ 18:47:43 ] :: [ INFO    ] :: checking rule 'allow glusterd_t mount_t : process { transition }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t mount_t : process { transition sigchld } ; 
:: [   PASS   ] ::   check permission 'transition' is present (Assert: '0' should equal '0')
:: [ 18:47:44 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_tmp_t : dir { mounton }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t non_security_file_type : dir mounton ; 
   allow glusterd_t glusterd_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename mounton add_name remove_name reparent search rmdir open } ; 
DT allow glusterd_t non_security_file_type : dir { ioctl read getattr lock search open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'mounton' is present (Assert: '0' should equal '0')
:: [ 18:47:46 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t tmp_t : file glusterd_tmp_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t tmp_t : file glusterd_tmp_t; 
:: [   PASS   ] ::   check permission 'glusterd_tmp_t' is present (Assert: '0' should equal '0')
:: [ 18:47:47 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t tmp_t : dir glusterd_tmp_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t tmp_t : dir glusterd_tmp_t; 
:: [   PASS   ] ::   check permission 'glusterd_tmp_t' is present (Assert: '0' should equal '0')
:: [ 18:47:48 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t tmp_t : sock_file glusterd_tmp_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t tmp_t : sock_file glusterd_tmp_t; 
:: [   PASS   ] ::   check permission 'glusterd_tmp_t' is present (Assert: '0' should equal '0')
:: [ 18:47:49 ] :: [ INFO    ] :: checking rule 'allow glusterd_t tmp_t : dir { read write add_name remove_name getattr open search }'
FILTERED RULES
Found 7 semantic av rules:
   allow domain tmp_t : dir { getattr search open } ; 
   allow daemon tmp_t : dir { getattr search open } ; 
   allow domain base_file_type : dir { getattr search open } ; 
   allow glusterd_t tmp_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow glusterd_t non_security_file_type : dir mounton ; 
DT allow glusterd_t non_security_file_type : dir { ioctl read getattr lock search open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'add_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'remove_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'search' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1162125
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/var/run	system_u:object_r:var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run should contain var_run_t (Assert: expected 0, got 0)
/var/run/gluster	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/gluster should contain glusterd_var_run_t (Assert: expected 0, got 0)
/var/run/gluster/snaps	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/gluster/snaps should contain glusterd_var_run_t (Assert: expected 0, got 0)
/var/run/glusterd.socket	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/glusterd.socket should contain glusterd_var_run_t (Assert: expected 0, got 0)
:: [ 18:47:57 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t var_run_t : sock_file glusterd_var_run_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t var_run_t : sock_file glusterd_var_run_t; 
:: [   PASS   ] ::   check permission 'glusterd_var_run_t' is present (Assert: '0' should equal '0')
:: [ 18:47:58 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_var_run_t : sock_file { create write }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1222845
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/var/run/dbus/system_bus_socket	system_u:object_r:system_dbusd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/dbus/system_bus_socket should contain system_dbusd_var_run_t (Assert: expected 0, got 0)
:: [ 18:48:02 ] :: [ INFO    ] :: checking rule 'allow glusterd_t system_dbusd_t : dbus { send_msg }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t system_dbusd_t : dbus send_msg ; 
:: [   PASS   ] ::   check permission 'send_msg' is present (Assert: '0' should equal '0')
:: [ 18:48:03 ] :: [ INFO    ] :: checking rule 'allow glusterd_t system_dbusd_t : unix_stream_socket { connectto }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t system_dbusd_t : unix_stream_socket connectto ; 
:: [   PASS   ] ::   check permission 'connectto' is present (Assert: '0' should equal '0')
:: [ 18:48:04 ] :: [ INFO    ] :: checking rule 'allow glusterd_t system_dbusd_var_run_t : sock_file { write }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t system_dbusd_var_run_t : sock_file { write getattr append open } ; 
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: real scenario -- standalone service
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'echo redhat | passwd --stdin root'
Changing password for user root.
passwd: all authentication tokens updated successfully.
:: [   PASS   ] :: Command 'echo redhat | passwd --stdin root' (Expected 0, got 0)
glusterd_t is defined
:: [  BEGIN   ] :: Running 'service glusterd start'
Starting glusterd:                                         [  OK  ]
:: [   PASS   ] :: Command 'service glusterd start' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -efZ | grep -v " grep " | grep -E "glusterd"'
unconfined_u:system_r:glusterd_t:s0 root 24665     1  0 18:48 ?        00:00:00 /usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "glusterd"' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -efZ | grep -v " grep " | grep -E "glusterd_t.*glusterd"'
unconfined_u:system_r:glusterd_t:s0 root 24665     1  0 18:48 ?        00:00:00 /usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "glusterd_t.*glusterd"' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'service glusterd status'
glusterd (pid  24665) is running...
:: [   PASS   ] :: Command 'service glusterd status' (Expected 0,1,3, got 0)
:: [  BEGIN   ] :: Running 'service glusterd restart'
Starting glusterd:                                         [  OK  ]
:: [   PASS   ] :: Command 'service glusterd restart' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -efZ | grep -v " grep " | grep -E "glusterd"'
unconfined_u:system_r:glusterd_t:s0 root 25440     1  0 18:48 ?        00:00:00 /usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "glusterd"' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -efZ | grep -v " grep " | grep -E "glusterd_t.*glusterd"'
unconfined_u:system_r:glusterd_t:s0 root 25440     1  0 18:48 ?        00:00:00 /usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "glusterd_t.*glusterd"' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'service glusterd status'
glusterd (pid  25440) is running...
:: [   PASS   ] :: Command 'service glusterd status' (Expected 0,1,3, got 0)
:: [  BEGIN   ] :: Running 'service glusterd stop'
:: [   PASS   ] :: Command 'service glusterd stop' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'service glusterd status'
glusterd is stopped
:: [   PASS   ] :: Command 'service glusterd status' (Expected 0,1,3, got 3)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Cleanup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 18:48:43 ] :: Search for AVCs and SELINUX_ERRs since timestamp 'TIMESTAMP' [05/26/2015 18:46:52]
:: [  BEGIN   ] :: Running 'LC_TIME='en_US.UTF-8' ausearch -m AVC -m SELINUX_ERR -ts 05/26/2015 18:46:52 2>&1 | grep -v '<no matches>''
:: [   PASS   ] :: Command 'LC_TIME='en_US.UTF-8' ausearch -m AVC -m SELINUX_ERR -ts 05/26/2015 18:46:52 2>&1 | grep -v '<no matches>'' (Expected 1, got 1)
glusterd is stopped

--- Additional comment from Soumya Koduri on 2015-06-02 01:12:00 EDT ---

I have tested it on RHEL6.7 system (which has this fix).

[root@cutlass system.d]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.7 Beta (Santiago)
[root@cutlass system.d]# 
[root@cutlass system.d]# uname -a
Linux cutlass.lab.eng.blr.redhat.com 2.6.32-562.el6.x86_64 #1 SMP Mon May 18 19:34:59 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@cutlass system.d]# 


[root@cutlass system.d]# service messagebus restart
Stopping system message bus:                               [  OK  ]
Starting system message bus:                               [  OK  ]
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# service nfs-ganesha start
Starting ganesha.nfsd:                                     [  OK  ]
[root@cutlass system.d]# showmount -e localhost
Export list for localhost:
/ (everyone)
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# dbus-send --print-reply --system --dest=org.ganesha.nfsd /org/ganesha/nfsd/ExportMgr org.ganesha.nfsd.exportmgr.AddExport string:/etc/ganesha/export_vol1.conf string:"EXPORT(Path=/vol1)"
method return sender=:1.1 -> dest=:1.2 reply_serial=2
   string "1 exports added"
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# showmount -e localhost
Export list for localhost:
/     (everyone)
/vol1 (everyone)
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# dbus-send --print-reply --system --dest=org.ganesha.nfsd /org/ganesha/nfsd/ExportMgr org.ganesha.nfsd.exportmgr.RemoveExport uint16:1
method return sender=:1.1 -> dest=:1.4 reply_serial=2
[root@cutlass system.d]# showmount -e localhost
Export list for localhost:
/ (everyone)
[root@cutlass system.d]# 
[root@cutlass system.d]# 

Dynamic volume export/unexport which uses 'dbus' worked now. 
We need this fix to be merged to RHEL6.6 and RHEL7 versions.

--- Additional comment from Soumya Koduri on 2015-06-02 01:28:49 EDT ---

[root@cutlass ~]# getenforce
Enforcing
[root@cutlass ~]# 
[root@cutlass ~]# 
[root@cutlass ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
<no matches>
[root@cutlass ~]#

--- Additional comment from Milos Malik on 2015-06-02 05:28:21 EDT ---

Thanks for re-testing. Switching to VERIFIED.

--- Additional comment from Soumya Koduri on 2015-06-02 05:30:15 EDT ---

Do we need to wait till this fix gets backported to RHEL6.6 / RHEL7 before marking it as Verified?

--- Additional comment from Milos Malik on 2015-06-02 05:45:33 EDT ---

There's no need to wait. For backporting purposes this bug needs to proposed for RHEL-6.6.z and RHEL-7.1.z.
Comment 8 errata-xmlrpc 2015-11-19 10:39:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html