Bug 1326066
Summary: | [hc][selinux] AVC denial messages seen in audit.log while starting the volume in HCI environment | ||
---|---|---|---|
Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | SATHEESARAN <sasundar> |
Component: | glusterd | Assignee: | Kaushal <kaushal> |
Status: | CLOSED ERRATA | QA Contact: | SATHEESARAN <sasundar> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | rhgs-3.1 | CC: | amukherj, knarra, rcyriac, rhinduja, rhs-bugs, sabose, storage-qa-internal, vbellur |
Target Milestone: | --- | ||
Target Release: | RHGS 3.2.0 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | glusterfs-3.8.4-1 | Doc Type: | Known Issue |
Doc Text: |
Cause: TBD
Consequence:
Workaround (if any):
Result:
|
Story Points: | --- |
Clone Of: | Environment: |
RHEV-RHGS HCI
RHEL 7.2
|
|
Last Closed: | 2017-03-23 05:28:37 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1277939, 1351522 |
Description
SATHEESARAN
2016-04-11 17:12:31 UTC
I checked the logs of the system on which this occurred. The AVC denial happened at the moment GlusterD had a pmap_signin event. The signin event caused the portmapper table to be initialized. When the portmap table is initialized, GlusterD tries to find out all available free ports on the system by trying to bind to ports from 0 to 65536. As a part of it, it also tries to bind 2223, which causes the AVC denial audit log. This is doesn't affect the functioning of GlusterFS in any way, and the AVC denial message is benign. I do remember a patch from Raghavendra Talur in upstream [1] where the lower limit is set to 49152. We shouldn't be seeing this issue once the patch gets rebased as part of 3.8 and eventually rhgs-3.1.2. I am setting internal whiteboard to 3.2, any objection? [1] http://review.gluster.org/13841 (In reply to Atin Mukherjee from comment #2) > I do remember a patch from Raghavendra Talur in upstream [1] where the lower > limit is set to 49152. We shouldn't be seeing this issue once the patch gets > rebased as part of 3.8 and eventually rhgs-3.1.2. > > I am setting internal whiteboard to 3.2, any objection? > > > [1] http://review.gluster.org/13841 Looks ok to move this fix to 3.2 I mark this issue as a known_issue for RHEV-RHGS HCI LA release ( RHGS 3.1.3 ), so that admins should not misinterpret this AVC to a serious harm. Upstream mainline : http://review.gluster.org/13841 Upstream 3.8 : Available as part of branching from mainline And the fix is available in rhgs-3.2.0 as part of rebase to GlusterFS 3.8.4. No AVC denials are seen with RHGS 3.2.0 interim build ( glusterfs-3.8.4-2.el7rhgs ). [root@ ~]# less /var/log/audit/audit.log audit.log audit.log.1 audit.log.2 audit.log.3 audit.log.4 [root@ ~]# less /var/log/audit/audit.log | audit2allow Nothing to do [root@ ~]# less /var/log/audit/audit.log.1 | audit2allow Nothing to do [root@ ~]# less /var/log/audit/audit.log.2 | audit2allow Nothing to do [root@ ~]# less /var/log/audit/audit.log.3 | audit2allow Nothing to do [root@ ~]# less /var/log/audit/audit.log.4 | audit2allow Nothing to do Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0486.html |