Bug 1331585
Summary: | [SELinux]: Cases in pynfs test suite fails because of selinux errors. | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Shashank Raj <sraj> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | urgent | Docs Contact: | Mirek Jahoda <mjahoda> | |
Priority: | high | |||
Version: | 6.8 | CC: | dwalsh, jthottan, kkeithle, lvrabec, mgrepl, mjahoda, mmalik, mzywusko, ndevos, nlevinki, plautrba, pprakash, pvrabec, rcyriac, rhs-bugs, salmy, skoduri, ssekidde, storage-qa-internal | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.7.19-293.el6 | Doc Type: | Bug Fix | |
Doc Text: |
Previously, with SELinux in enforcing mode, it was not possible to create a UNIX Domain Socket on the Red Hat Gluster Storage volumes. As a consequence, the user could not store containers on the volumes. The relevant policy module has been updated, and the user is now able to store containers on the Red Hat Storage Gluster volumes.
|
Story Points: | --- | |
Clone Of: | 1331559 | |||
: | 1393267 (view as bug list) | Environment: | ||
Last Closed: | 2017-03-21 09:46:06 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1343211, 1380695, 1393267 |
Description
Shashank Raj
2016-04-28 21:36:05 UTC
I need to know the output of following command: # matchpathcon /bricks /bricks/brick0 It seems that the bricks mountpoint is mislabeled completely. Following command may help, if file context equivalence is set correctly: # restorecon -Rv /bricks I ran the tests again on a fresh setup with details as below: [root@dhcp43-33 exports]# matchpathcon /bricks /bricks/brick0 /bricks system_u:object_r:default_t:s0 /bricks/brick0 system_u:object_r:glusterd_brick_t:s0 In enforcing mode: there are around 2 failed cases and 50 dependent skipped cases, failed cases are below: LOOKSOCK st_lookup.testSocket : FAILURE LOOKUP of /testvolume/tree/socket should return NFS4_OK, instead got NFS4ERR_NOENT MKSOCK st_create.testSocket : FAILURE CREATE in empty dir should return NFS4_OK, instead got NFS4ERR_ACCESS and the following AVC's are observed in audit.log type=AVC msg=audit(1462480124.699:350): avc: denied { create } for pid=16497 comm="glusterfsd" name="MKSOCK" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462480124.870:425): avc: denied { create } for pid=15296 comm="glusterfsd" name="MKSOCK" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462479597.505:415): avc: denied { create } for pid=11567 comm="glusterfsd" name="socket" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462479598.306:427): avc: denied { create } for pid=9570 comm="glusterfsd" name="socket" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file -------------------------------------------------------------------------- In permissive mode: All the cases passed with below AVC's in audit.log type=AVC msg=audit(1462481726.816:383): avc: denied { create } for pid=25652 comm="glusterfsd" name="MKSOCK" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481199.769:448): avc: denied { create } for pid=13766 comm="glusterfsd" name="socket" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481726.816:384): avc: denied { setattr } for pid=25652 comm="glusterfsd" name="MKSOCK" dev=dm-16 ino=62915497 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file ype=AVC msg=audit(1462481199.770:449): avc: denied { setattr } for pid=13766 comm="glusterfsd" name="socket" dev=dm-6 ino=8388888 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481726.816:385): avc: denied { getattr } for pid=25652 comm="glusterfsd" path="/bricks/brick2/b2/tmp/MKSOCK" dev=dm-16 ino=62915497 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481199.770:450): avc: denied { getattr } for pid=13766 comm="glusterfsd" path="/bricks/brick0/b0/tree/socket" dev=dm-6 ino=8388888 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481726.816:386): avc: denied { link } for pid=25652 comm="glusterfsd" name="MKSOCK" dev=dm-16 ino=62915497 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481199.770:451): avc: denied { link } for pid=13766 comm="glusterfsd" name="socket" dev=dm-6 ino=8388888 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462482205.624:393): avc: denied { unlink } for pid=29560 comm="glusterfsd" name="e7049fab-60bc-4562-a1bc-575a2e12de0d" dev=dm-6 ino=62917648 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462482099.851:468): avc: denied { create } for pid=27431 comm="glusterfsd" name="SATT6s" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481848.917:458): avc: denied { unlink } for pid=25033 comm="glusterfsd" name="4a878063-2595-4aa4-8768-e03ebd149b1e" dev=dm-16 ino=62914943 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481849.717:470): avc: denied { unlink } for pid=24276 comm="glusterfsd" name="4a878063-2595-4aa4-8768-e03ebd149b1e" dev=dm-16 ino=62914943 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481726.816:383): avc: denied { create } for pid=25652 comm="glusterfsd" name="MKSOCK" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462482099.852:469): avc: denied { setattr } for pid=27431 comm="glusterfsd" name="SATT6s" dev=dm-6 ino=62917648 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481199.769:448): avc: denied { create } for pid=13766 comm="glusterfsd" name="socket" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462481200.570:460): avc: denied { create } for pid=23443 comm="glusterfsd" name="socket" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1462482099.852:470): avc: denied { getattr } for pid=27431 comm="glusterfsd" path="/bricks/brick0/b0/tmp/SATT6s" dev=dm-6 ino=62917648 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file let me know in case any other information is required. Could you re-run your scenario after applying this workaround? # cat bz1331561.te policy_module(bz1331561, 1.0) require { type glusterd_t; type glusterd_brick_t; class sock_file { create getattr setattr link unlink }; } allow glusterd_t glusterd_brick_t : sock_file { create getattr setattr link unlink }; # make -f /usr/share/selinux/devel/Makefile Compiling targeted bz1331561 module /usr/bin/checkmodule: loading policy configuration from tmp/bz1331561.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/bz1331561.mod Creating targeted bz1331561.pp policy package rm tmp/bz1331561.mod.fc tmp/bz1331561.mod # semodule -i bz1331561.pp # Verified the bug with the above workaround and all the cases are passed without any issues and no AVC's are seen in audit.log Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0627.html |