Bug 1336760

Summary: [SELinux]: refresh-config fails with denial AVC related to /usr/bin/dbus-daemon
Product: Red Hat Enterprise Linux 7 Reporter: Prasanth <pprakash>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact: Marie Hornickova <mdolezel>
Priority: high    
Version: 7.2CC: jthottan, kkeithle, lvrabec, mdolezel, mgrepl, mmalik, ndevos, plautrba, pprakash, pvrabec, rcyriac, skoduri, snagar, sraj, ssekidde, storage-qa-internal
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-74.el7 Doc Type: If docs needed, set a value
Doc Text:
Due to the denial of the Access Vectore Cache (AVC), refresh of the configuration file for the dbus message daemon failed in the situation where the nfs-ganesha server was installed on four nodes and volume was created. With this update, a workaround has been provided which ensures that the configuration file now refreshes as expected.
 Story Points: ---
Clone Of: 1336732
: 1340365 (view as bug list) Environment:
Last Closed: 2016-11-04 02:29:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1335114, 1336732, 1340365    

Description Prasanth 2016-05-17 12:11:56 UTC 
+++ This bug was initially created as a clone of Bug #1336732 +++

Description of problem:

refresh-config fails with denial AVC related to /usr/bin/dbus-daemon

Version-Release number of selected component (if applicable):

glusterfs-3.7.9-5
nfs-ganesha-2.3.1-7
selinux-policy-3.13.1-60.el7_2.5.noarch

How reproducible:

Always

Steps to Reproduce:
1.Create a 4 node ganesha cluster.
2.Create a volume and enable ganesha on it
3.Change some parameter in volume export file and perform a refresh config on the volume. Observe that it fails and below USER_AVC is seen in audit.log

[root@dhcp37-44 exports]# /usr/libexec/ganesha/ganesha-ha.sh --refresh-config /etc/ganesha/ testvolume
Error: refresh-config failed on dhcp37-111

following AVC is seen in audit.log

type=USER_AVC msg=audit(1463444111.125:18338): pid=652 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.3942 spid=31935 tpid=32163 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


Actual results:

There should not be any denial AVC's

Expected results:

refresh config should work as expected

Additional info:

performed the same test on previous builds and it works fine:

glusterfs-3.7.9-3.el7rhgs.x86_64
nfs-ganesha-2.3.1-4.el7rhgs.x86_64
selinux-policy-3.13.1-60.el7_2.3.noarch

[root@dhcp46-247 exports]# /usr/libexec/ganesha/ganesha-ha.sh --refresh-config /etc/ganesha/ testvolume
Refresh-config completed on dhcp46-202.
Refresh-config completed on dhcp46-26.
Refresh-config completed on dhcp47-139.
Success: refresh-config completed.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2016-05-17 06:59:20 EDT ---

This bug is automatically being proposed for the current z-stream release of Red Hat Gluster Storage 3 by setting the release flag 'rhgs‑3.1.z' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.

--- Additional comment from RHEL Product and Program Management on 2016-05-17 07:52:24 EDT ---

This bug report has Keywords: Regression or TestBlocker.

Since no regressions or test blockers are allowed between releases,
it is also being identified as a blocker for this release.

Please resolve ASAP.

--- Additional comment from Kaleb KEITHLEY on 2016-05-17 08:01:26 EDT ---

workaround: use selinux-policy-3.13.1-60.el7_2.4.noarch
Comment 8 errata-xmlrpc 2016-11-04 02:29:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html