Bug 1242487

Yes, with the local fix i am able to set up the ganesha cluster and not seeing avc denied for nfs-ganesha service.

But i am seeing 3 more new AVC denied errors:

1.  type=AVC msg=audit(1436760013.962:3807): avc:  denied  { read } for  pid=13677 comm="find" name="sepolgen" dev="dm-0" ino=135293101 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir

2.  type=AVC msg=audit(1436760018.523:3817): avc:  denied  { connectto } for  pid=13746 comm="crm_mon" path=006369625F726F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=unix_stream_socket

3.  type=AVC msg=audit(1436760019.680:3818): avc:  denied  { connectto } for  pid=13750 comm="cibadmin" path=006369625F72770000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=unix_stream_socket

Is Ganesha able to start various cluster services ? Does Ganesha use init scripts or systemd unit files when starting them ?

Hi Milos,

We execute "service nfs-ganesha start" to start the NFS-Ganesha service. And after that, as part of the set up, we run various pcs commands to set up the cluster. crm_mon errors are related to corosync/pacemaker as far as I can see.
The set up would have failed because NFS-GAnesha didn't start in the first place.

I was able to setup the cluster with the work around in comment 2.
But yes i am seeing 3 more avc denied errors as mentioned in comment 3.

(In reply to Apeksha from comment #7)
> I was able to setup the cluster with the work around in comment 2.
> But yes i am seeing 3 more avc denied errors as mentioned in comment 3.

Apeksha, Milos has provided an updated local policy module in Comment 4 which should resolve the 3 other AVC's you had seen. So please apply that and let us know the test results.

With the work around mentioned in comment 4, i am able to set up the ganesha clutser, but seeing 2 avc errors:

1. type=AVC msg=audit(1436813573.923:5217): avc:  denied  { read } for  pid=16855 comm="find" name="sepolgen" dev="dm-0" ino=135293101 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir

2. type=USER_AVC msg=audit(1436813579.129:5220): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=-1 uid=0 gid=0 path="system" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

seeing this avc denied error on a fresh rhel7.1 setup with latest selinux rpm - selinux-policy-3.13.1-32.el7.noarch

type=USER_AVC msg=audit(1437124950.248:2418): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/nfs-ganesha.service" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:nfsd_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Is this avc message fixed in this rpm - selinux-policy-3.13.1-32.el7.noarch ?

Or we have to still use the workaround mentioned in comment2/comment4?

# rpm -qa selinux-policy\*
selinux-policy-minimum-3.13.1-33.el7.noarch
selinux-policy-sandbox-3.13.1-33.el7.noarch
selinux-policy-doc-3.13.1-33.el7.noarch
selinux-policy-3.13.1-33.el7.noarch
selinux-policy-targeted-3.13.1-33.el7.noarch
selinux-policy-devel-3.13.1-33.el7.noarch
selinux-policy-mls-3.13.1-33.el7.noarch
# sesearch -s glusterd_t -t nfsd_unit_file_t -c service -A -C

# sesearch -s glusterd_t -t nfsd_unit_file_t -c service -D -C

# 

Unfortunately, the workaround is still needed.

(In reply to Apeksha from comment #11)
> seeing this avc denied error on a fresh rhel7.1 setup with latest selinux
> rpm - selinux-policy-3.13.1-32.el7.noarch
> 
> type=USER_AVC msg=audit(1437124950.248:2418): pid=1 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start }
> for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/nfs-ganesha.service"
> scontext=system_u:system_r:glusterd_t:s0
> tcontext=system_u:object_r:nfsd_unit_file_t:s0 tclass=service 
> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
> 
> Is this avc message fixed in this rpm - selinux-policy-3.13.1-32.el7.noarch ?
> 
> Or we have to still use the workaround mentioned in comment2/comment4?

The latest available policy is selinux-policy-3.13.1-33.el7. Are you see this issue in that as well? Please check and confirm.

(In reply to Prasanth from comment #13)
> (In reply to Apeksha from comment #11)
> > seeing this avc denied error on a fresh rhel7.1 setup with latest selinux
> > rpm - selinux-policy-3.13.1-32.el7.noarch
> > 
> > type=USER_AVC msg=audit(1437124950.248:2418): pid=1 uid=0 auid=4294967295
> > ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start }
> > for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/nfs-ganesha.service"
> > scontext=system_u:system_r:glusterd_t:s0
> > tcontext=system_u:object_r:nfsd_unit_file_t:s0 tclass=service 
> > exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
> > 
> > Is this avc message fixed in this rpm - selinux-policy-3.13.1-32.el7.noarch ?
> > 
> > Or we have to still use the workaround mentioned in comment2/comment4?
> 
> The latest available policy is selinux-policy-3.13.1-33.el7. Are you see
> this issue in that as well? Please check and confirm.

Yes, she has seen the issue with the latest rpms also, she had to put the workaround as mentioned above in this BZ. 

So it will be preferrable that we have the workaround in rpms.
Milos, can you confirm that we will have rpms having the fix for the issue so that we can avoid using the workaround?

My plan is to persuade mgrepl to put as many fixes as possible into selinux-policy builds so that you don't need to use workarounds.

I am now not able to see thye nfs.ganesha.service denied service, but still seeing following 2 avc as mentioned in comment 9:

1.  type=AVC msg=audit(1437435504.831:1982): avc:  denied  { read } for  pid=15553 comm="find" name="sepolgen" dev="dm-0" ino=135293101 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir

2.  type=USER_AVC msg=audit(1437435509.963:1989): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=-1 uid=0 gid=0 path="system" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

1. looks like a /usr/bin/find tried to read from /dev/dm-0.

2. looks like pid 1 (init) was denied a status (i.e. systemctl status $service) on glusterd?

Neither one seems — on the face of things — related to ganesha HA setup, doesn't appear to have any effect on HA setup. 

I suggest we defer to 3.1.1.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1495.html