Bug 1243931
| Summary: | [SELinux]: geo-rep: Mount-Broker: umount of aux mount at slave is denied | |||
|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Rahul Hinduja <rhinduja> | |
| Component: | geo-replication | Assignee: | Bug Updates Notification Mailing List <rhs-bugs> | |
| Status: | CLOSED WONTFIX | QA Contact: | Rahul Hinduja <rhinduja> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | rhgs-3.1 | CC: | aavati, avishwan, csaba, mgrepl, mmalik, nlevinki, nsathyan, pprakash, rcyriac, vagarwal | |
| Target Milestone: | --- | Keywords: | ZStream | |
| Target Release: | RHGS 3.1.1 | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1257883 (view as bug list) | Environment: | ||
| Last Closed: | 2015-08-28 10:18:44 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1245068, 1251815, 1257883 | |||
Ok we don't have
#============= mount_t ==============
#!!!! This avc is allowed in the current policy
allow mount_t mnt_t:lnk_file read;
in RHEL6. So try to with
$cat mypol.te
policy_module(mypol,1.0)
require{
type mount_t;
type mnt_t;
}
allow mount_t mnt_t:lnk_file read;
Could you try following workaround without loading the policy module mentioned in comment#5? # chcon -R -t home_root_t /var/mountbroker-root # sesearch -s mount_t -t home_root_t -c lnk_file -p read -A -C Found 1 semantic av rules: allow mount_t home_root_t : lnk_file { read getattr } ; # (In reply to Milos Malik from comment #6) > Could you try following workaround without loading the policy module > mentioned in comment#5? > > # chcon -R -t home_root_t /var/mountbroker-root > # sesearch -s mount_t -t home_root_t -c lnk_file -p read -A -C > Found 1 semantic av rules: > allow mount_t home_root_t : lnk_file { read getattr } ; > > # [root@georep7 ~]# rpm -qa | grep selinux-policy selinux-policy-targeted-3.7.19-279.el6.noarch selinux-policy-3.7.19-279.el6.noarch [root@georep7 ~]# sesearch -s mount_t -t home_root_t -c lnk_file -p read -A -C Found 1 semantic av rules: allow mount_t home_root_t : lnk_file { read getattr } ; [root@georep7 ~]# [root@georep7 ~]# ls -dZ /var/mountbroker-root drwx--x--x. root root unconfined_u:object_r:home_root_t:s0 /var/mountbroker-root [root@georep7 ~]# [root@georep7 ~]# ls -Z /var/mountbroker-root drwx--x--x. root root unconfined_u:object_r:home_root_t:s0 mb_hive drwx------. geoaccount root unconfined_u:object_r:home_root_t:s0 user500 [root@georep7 ~]# I do not see avc denial after changing the context to home_root as: [root@georep7 ~]# cat /var/log/audit/audit.log|audit2allow #============= glusterd_t ============== allow glusterd_t showmount_exec_t:file execute; [root@georep7 ~]# grep -i "avc" /var/log/audit/audit.log | grep -v "showmount"[root@georep7 ~]# Since in the admin guide, we ask the user to create the directory ("/var/mountbroker-root" is just as example) with permission 0711. We can have additional step to change the context to home_root. This bug would be more of doc bug Thanks to Milos for providing solution. chcon is a temporary solution which restorecon can revert the context. Following 2 steps would be needed in the document after asking the user to create directory with 0711 permission 1. semanage fcontext -a -e /home /var/mountbroker-root 2. restorecon -Rv /var/mountbroker-root |
Description of problem: ======================= After creating the geo-rep session with non-root user. I tried setting some config options. Which triggered the umount of aux at slave which is denied. [root@georep5 scripts]# grep -i "AVC" /var/log/audit/audit.log | grep -v "S31ganesha-star" type=AVC msg=audit(1437057872.077:6982): avc: denied { read } for pid=13159 comm="umount" name="mntKsg0rx" dev=dm-0 ino=133903 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file [root@georep5 scripts]# [root@georep5 scripts]# ausearch -m avc -i -c umount ---- type=PATH msg=audit(07/16/2015 20:14:32.077:6982) : item=0 name=/var/mountbroker-root/mb_hive/mntKsg0rx inode=133903 dev=fd:00 mode=link,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_t:s0 nametype=NORMAL type=CWD msg=audit(07/16/2015 20:14:32.077:6982) : cwd=/ type=SYSCALL msg=audit(07/16/2015 20:14:32.077:6982) : arch=x86_64 syscall=readlink success=no exit=-13(Permission denied) a0=0x7ffe8b0ec410 a1=0x7ffe8b0eb3c0 a2=0x1000 a3=0x7ffe8b0eb110 items=1 ppid=12754 pid=13159 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=572 comm=umount exe=/bin/umount subj=unconfined_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(07/16/2015 20:14:32.077:6982) : avc: denied { read } for pid=13159 comm=umount name=mntKsg0rx dev=dm-0 ino=133903 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file [root@georep5 scripts]# [root@georep5 scripts]# cat /var/log/audit/audit.log |audit2allow #============= glusterd_t ============== allow glusterd_t showmount_exec_t:file execute; #============= mount_t ============== allow mount_t var_t:lnk_file read; [root@georep5 scripts]# [root@georep1 scripts]# rpm -qa | grep selinux-policy selinux-policy-targeted-3.7.19-279.el6.noarch selinux-policy-3.7.19-279.el6.noarch [root@georep1 scripts]#