Bug 1355774

Summary: Cluster Management and SELinux
Product: [Fedora] Fedora Reporter: Marek Grac <mgrac>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: dwalsh, lvrabec
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-29 22:52:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marek Grac 2016-07-12 14:00:22 UTC
I have two node cluster on Fedora23 (virtual machines) - call them node1, node2.

Attempt to login to web management of cluster (pcsd) works on both of them but there is a big difference in a speed. On node1 it took around 20 seconds, on node2 it took around 2 seconds. I have found several issues including processes in cluster_t (node1) and unconfined_service_t (node2). The slowest part is somewhere in the PAM and it is impacted by SELinux. In permissive mode the node2 is as fast as node1. 

type=USER_AVC msg=audit(1468324370.376:434): pid=713 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.53 spid=6292 tpid=9240 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

This AVC occurs only on slow node. When package libfprint (fingerprint reader) is removed, the problem is solved. But the issue should be located more precisely.

Comment 1 Fedora Update System 2016-09-16 08:37:43 UTC
selinux-policy-3.13.1-158.24.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524

Comment 2 Fedora Update System 2016-09-17 00:53:15 UTC
selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524

Comment 3 Fedora Update System 2016-09-29 22:52:46 UTC
selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.