Bug 1369006

Summary: Gluster Volume is not getting exported after enabling ganesha on the volume
Product: [Community] GlusterFS Reporter: Shashank Raj <sraj>
Component: ganesha-nfsAssignee: bugs <bugs>
Status: CLOSED WORKSFORME QA Contact:
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 3.8.2CC: bugs, jthottan, kkeithle, lvrabec, mgrepl, mmalik, ndevos, plautrba, pvrabec, rcyriac, sashinde, skoduri, sraj, ssekidde, storage-qa-internal
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-06 06:53:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Shashank Raj 2016-08-22 10:25:03 UTC 
Description of problem:

[SELinux]: Volume is not getting exported after enabling ganesha on the volume.

Version-Release number of selected component (if applicable):

[root@dhcp43-116 exports]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

[root@dhcp43-116 exports]# rpm -qa|grep glusterfs
glusterfs-fuse-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-libs-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-client-xlators-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-api-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-cli-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-server-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-geo-replication-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-ganesha-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64

[root@dhcp43-116 exports]# rpm -qa|grep ganesha
nfs-ganesha-gluster-next.20160813.2f47e8a-1.el7.centos.x86_64
nfs-ganesha-next.20160813.2f47e8a-1.el7.centos.x86_64
nfs-ganesha-debuginfo-next.20160813.2f47e8a-1.el7.centos.x86_64
glusterfs-ganesha-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64

[root@dhcp43-116 exports]# rpm -qa|grep selinux
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-60.el7_2.7.noarch
libselinux-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-60.el7_2.7.noarch


How reproducible:

Always

Steps to Reproduce:

1. Create a volume and start it

[root@dhcp43-116 ~]# gluster volume create myvolume replica 2 10.70.43.116:/bricks/brick0/b0 10.70.43.88:/bricks/brick0/b0 10.70.42.47:/bricks/brick0/b0 10.70.42.237:/bricks/brick0/b0 
volume create: myvolume: success: please start the volume to access data

[root@dhcp43-116 ~]# gluster vol start myvolume
volume start: myvolume: success

2. Enable ganesha on the volume

[root@dhcp43-116 ~]# gluster vol set myvolume ganesha.enable on
volume set: success

3. Observe that export file gets created under /etc/ganesha/exports

[root@dhcp43-116 ~]# cd /etc/ganesha/exports/
[root@dhcp43-116 exports]# ls
export.myvolume.conf

4. But showmount -e localhost doesn't show the exported volume.

[root@dhcp43-116 exports]# showmount -e localhost
Export list for localhost:

5. Following denial AVC's are seen in audit.log

type=USER_AVC msg=audit(1471880435.035:5194): pid=649 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=17041 tpid=9169 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1471880506.444:5196): pid=649 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.ganesha.nfsd.exportmgr member=RemoveExport dest=org.ganesha.nfsd spid=17605 tpid=9169 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


Actual results:

Volume is not getting exported after enabling ganesha on the volume.

Expected results:

There should not be any denial AVC's and volume should get exported without any issues.

Additional info:
Comment 1 Niels de Vos 2016-08-22 11:04:26 UTC 
Moving to RHEL-7 + selinux-policy. Gluster or Ganesha can not fix this by itself.
Comment 4 Shashank Raj 2016-08-23 09:00:34 UTC 
Hi Lukas,

this bug is filed wrt 7.2 and even for 7.2 i think its fixed with selinux-policy-3.13.1-60.el7_2.7.

Can you just confirm that?

We suspect this has to do something with how nfs-ganesha is being brought up in the system.

selinux context on the machine where we see this issue:

[root@dhcp43-116 ~]# ps -eafZ | grep ganesha
system_u:system_r:initrc_t:s0   root      9169     1 13 19:37 ?        00:18:20 /usr/bin/ganesha.nfsd -L /var/log/ganesha.log -f /etc/ganesha/ganesha.conf -N NIV_EVENT

selinux context on the machine where this is fixed:

[root@dhcp43-208 ~]# ps -eafZ | grep ganesha

system_u:system_r:glusterd_t:s0 root     10202     1 25 Jul25 ?        7-02:53:34 /usr/bin/ganesha.nfsd -L /var/log/ganesha.log -f /etc/ganesha/ganesha.conf -N NIV_EVENT -E 6311201610069442560

Once you confirm, that it is fixed with 7.2 as well, i will move it back to the appropriate component.
Comment 6 Shashank Raj 2016-08-23 11:15:53 UTC 
Thanks Lukas.

Based on comment 3,4 and 5, moving the fields back to original.
Comment 7 Shashank Raj 2016-08-24 08:14:31 UTC 
Tried the same with nfs-ganesha 2.3 packages and no selinux issue related to exporting volume is seen.

[root@dhcp43-116 exports]# rpm -qa|grep ganesha
nfs-ganesha-2.3.3-1.el7.x86_64
glusterfs-ganesha-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
nfs-ganesha-gluster-2.3.3-1.el7.x86_64
Comment 8 Shashank Raj 2016-09-01 09:25:41 UTC 
This issue is not seen in testing with the latest gluster and ganesha builds.

Below packages have been used and tested:

glusterfs-geo-replication-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-api-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-fuse-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-server-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-libs-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-client-xlators-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-ganesha-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-cli-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-debuginfo-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-3.8.3-0.6.git7956718.el7.centos.x86_64

[root@dhcp43-116 ~]# rpm -qa|grep ganesha
nfs-ganesha-gluster-next.20160827.7641daf-1.el7.centos.x86_64
glusterfs-ganesha-3.8.3-0.6.git7956718.el7.centos.x86_64
nfs-ganesha-debuginfo-next.20160827.7641daf-1.el7.centos.x86_64
nfs-ganesha-next.20160827.7641daf-1.el7.centos.x86_64
Comment 9 Jiffin 2016-09-06 06:51:14 UTC 
Can u please close this bug?
Comment 10 Shashank Raj 2016-09-06 06:53:38 UTC 
Based on comment 8 since this issue is not seen with latest gluster and ganesha builds, closing this bug.