Bug 1333903

Summary: [SELinux]: Found avc of type=USER_AVC for class dbus during glusterfs-ganesha validation -RHEL7
Product: Red Hat Enterprise Linux 7 Reporter: Marcel Kolaja <mkolaja>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact: Marie Hornickova <mdolezel>
Priority: high    
Version: 7.2CC: akhakhar, bugs, jthottan, kkeithle, lvrabec, mdolezel, mgrepl, mkolaja, mmalik, ndevos, plautrba, pprakash, pvrabec, rhinduja, skoduri, sraj, ssekidde
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-60.el7_2.5 Doc Type: Bug Fix
Doc Text:
When the nfs-ganesha server was set up on four nodes with 2X2 volume, the volume was not exported after the nfs-ganesha service was enabled. With this update, a workaround has been provided which ensures that the volume is exported as expected in the described scenario.
 Story Points: ---
Clone Of: 1312809 Environment:
Last Closed: 2016-06-23 05:52:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1312809    
Bug Blocks:    

Description Marcel Kolaja 2016-05-06 15:37:59 UTC 
This bug has been copied from bug #1312809 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 9 Shashank Raj 2016-05-17 10:48:18 UTC 
With the latest selinux-policy-3.13.1-60.el7_2.5, we are hitting an issue where refresh config performed on a volume fails with below AVC's.

type=USER_AVC msg=audit(1463442563.908:18059): pid=652 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.3872 spid=12852 tpid=21897 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?''

We need to have a fix for this as well
Comment 10 Milos Malik 2016-05-26 08:00:44 UTC 
I'm going to switch this bug to VERIFIED, because latest selinux-policy packages contain the fix needed for RHEL-7.2.z. The USER_AVC mentioned in comment#9 is addressed in BZ#1336760, which was proposed for RHEL-7.2.z but did not get rhel-7.2.z+ flag yet.
Comment 13 errata-xmlrpc 2016-06-23 05:52:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1279