Bug 1284179
| Summary: | Missing SELinux Type Enforcement rules for glusterfs-rdma server | ||
|---|---|---|---|
| Product: | [Community] GlusterFS | Reporter: | mobaer <rhel-bugzilla> |
| Component: | glusterd | Assignee: | Mohammed Rafi KC <rkavunga> |
| Status: | CLOSED EOL | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.7.6 | CC: | bugs, hchiramm, rhel-bugzilla |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-08 11:03:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug is getting closed because GlusteFS-3.7 has reached its end-of-life. Note: This bug is being closed using a script. No verification has been performed to check if it still exists on newer releases of GlusterFS. If this bug still exists in newer GlusterFS releases, please reopen this bug against the newer release. |
Description of problem: When using glusterfs-server with glusterfs-rdma on a SELinux enabled system, a volume using transport-type (tcp,)rdma can not be mounted by clients or replicated between servers as long as glusterd ist started through systemd/systemctl. However, manually starting glusterd as root and restarting glusterfsd seems to work. Version-Release number of selected component (if applicable): 3.7.6 How reproducible: Always Steps to Reproduce: 1. On two Systems with SELinux in Enforcing mode and Infiniband already set up, install glusterfs-server and glsuterfs-rdma 2. Create a replicated volume with bricks on both servers 3. Start the volume with the force option 4. Restart gluster(fs)d using (on both servers): 4a.systemctl restart glusterfsd 4b.systemctl restart glusterd Actual results: Volumes may be shown in gluster volume status, but are not accessible/mountable by clients. Expected results: Volumes are replicated/accessible and mountable by clients. Furthermore steps 4a and 4b are still needed using the workaround, but should not according to the documentation. Additional info: Using audit2allow from the policycoreutils-python I generated the following SELinux TE module for glusterfs and rdma transport-type on serverside: #=========start========= module gluster 1.0; require { type unconfined_t; type glusterd_t; type infiniband_device_t; class process signal; class unix_stream_socket connectto; class capability ipc_lock; class chr_file { read write open }; } #============= glusterd_t ============== #!!!! This avc is allowed in the current policy allow glusterd_t infiniband_device_t:chr_file { read write open }; allow glusterd_t self:capability ipc_lock; allow glusterd_t unconfined_t:process signal; allow glusterd_t unconfined_t:unix_stream_socket connectto; #==========end========== Using the pp files of the module and importing them on both servers (using semodule -i) made the Volumes available/mountable after following steps 1 to 4b.