Bug 1349796
Summary: | [SELinux]: Denial AVC's related to dbus daemon is seen in audit.logs | |||
---|---|---|---|---|
Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Shashank Raj <sraj> | |
Component: | nfs-ganesha | Assignee: | Soumya Koduri <skoduri> | |
Status: | CLOSED ERRATA | QA Contact: | surabhi <sbhaloth> | |
Severity: | high | Docs Contact: | ||
Priority: | urgent | |||
Version: | rhgs-3.1 | CC: | amukherj, asrivast, jthottan, kkeithle, mzywusko, ndevos, pprakash, rcyriac, rhinduja, sbhaloth, skoduri | |
Target Milestone: | --- | Keywords: | SELinux, Triaged, ZStream | |
Target Release: | RHGS 3.2.0 | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-102.el7_3.6 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1349798 (view as bug list) | Environment: | ||
Last Closed: | 2017-03-23 06:22:38 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1393494 | |||
Bug Blocks: | 1351522 |
Description
Shashank Raj
2016-06-24 09:40:00 UTC
From RHEL BZ https://bugzilla.redhat.com/show_bug.cgi?id=1349798 " Unfortunately we were not able to address the issue in development phase therefore we postpone it to next minor product update. If you consider the issue important and urgent please revert this change and provide business justification." And given there is no functional impact, this can't be taken in for 3.2.0 Since we are seeing this issue with RHEL 7 RHGS ISO very frequently and it will impact setting up nfs-ganesha cluster beacuse of pcs cluster authentication failure, increasing the severity and priority of this bug. (In reply to Shashank Raj from comment #3) > Since we are seeing this issue with RHEL 7 RHGS ISO very frequently and it > will impact setting up nfs-ganesha cluster beacuse of pcs cluster > authentication failure, increasing the severity and priority of this bug. Could you please test this scenario and check the behaviour on the ISO based on RHEL 7.3 (once available)? Given 7.3 is GAed, moving this BZ to ON_QA I tried setting up ganesha on RHGS ISO based on RHEL7.3 and encountered following avc's: type=USER_AVC msg=audit(1478610842.335:9956): pid=700 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.955 spid=27072 tpid=26238 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' and the pcs cluster auth fails with following error :failed: [10.70.47.161] (item=10.70.46.128) => {"changed": true, "cmd": "pcs cluster auth -u hacluster -p hacluster 10.70.46.128", "delta": "0:00:55.672225", "end": "2016-11-08 08:44:01.921278", "failed": true, "item": "10.70.46.128", "rc": 1, "start": "2016-11-08 08:43:06.249053", "stderr": "Error: Unable to communicate with 10.70.46.128", "stdout": "", "stdout_lines": [], "warnings": []} This needs to be fixed sooner as nfs-ganesha setup will fail on 7.3 based RHGS ISO. (In reply to Atin Mukherjee from comment #6) > Given 7.3 is GAed, moving this BZ to ON_QA Could you provide the SELinux policy build details which fixes this issue? As per BZ https://bugzilla.redhat.com/show_bug.cgi?id=1349798 it is not been fixed as part of 7.3 release and we definitely need a fix for it sooner. Moving it back to assigned. The testing is done on RHEL7.3 based RHGS ISO which is shipped on Nov82016. The RHGS ISO contains SELinux policy : selinux-policy-3.13.1-102.el7.noarch selinux-policy-targeted-3.13.1-102.el7.noarch And the avc's are seen while setting up ganesha. After upgrading the SELinux policy from LIVE (rhel base channel), the SELinux package gets updated to : selinux-policy-3.13.1-102.el7_3.4.noarch selinux-policy-targeted-3.13.1-102.el7_3.4.noarch And the issue is still reproducible. With the latest SELinux packages built for batch update of RHEL7.3 : selinux-policy-3.13.1-102.el7_3.6.noarch selinux-policy-targeted-3.13.1-102.el7_3.6.noarch Verified that the avc's related to dbus is not seen on a RHEL7.3 based ISO installation and upgrading to 3.2 bits as well. Marking the BZ verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0493.html |