Bug 1382345

Summary: [RHEL7] SELinux prevents starting of RDMA transport type volumes
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Anoop C S <anoopcs>
Component: rdmaAssignee: Anoop C S <anoopcs>
Status: CLOSED ERRATA QA Contact: Anil Shah <ashah>
Severity: high Docs Contact:
Priority: high    
Version: rhgs-3.1CC: rcyriac, rhinduja, rhs-bugs, rwheeler
Target Milestone: ---   
Target Release: RHGS 3.2.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1384488 (view as bug list) Environment:
Last Closed: 2017-03-23 06:08:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1386620    
Bug Blocks: 1351528    

Description Anoop C S 2016-10-06 12:21:15 UTC 
Description of problem:
GlusterFS volumes with RDMA transport type fails to start on issuing `gluster volume start <VOLNAME>` when SELinux set to 'Enforcing' mode. Even though `gluster volume start <VOLNAME> force` succeeds, brick processes are never brought up.

Following that changed SELinux mode to permissive and volume start followed by FUSE mounting worked as expected with the following AVCs:

type=AVC msg=audit(1475755220.412:356): avc:  denied  { read write } for  pid=8325 comm="glusterfsd" name="rdma_cm" dev="devtmpfs" ino=16130 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file
type=AVC msg=audit(1475755220.412:356): avc:  denied  { open } for  pid=8325 comm="glusterfsd" path="/dev/infiniband/rdma_cm" dev="devtmpfs" ino=16130 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file
type=AVC msg=audit(1475755220.929:357): avc:  denied  { ipc_lock } for  pid=8367 comm="glusterfs" capability=14  scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
Red Hat Gluster Storage Server 3.1 Update 3
Red Hat Enterprise Linux Server release 7.2 (Maipo)

How reproducible:
Always

Steps to Reproduce:
1. Set up RDMA stack based on IPoIB.
2. Make sure that SELinux mode is set to 'Enforcing'.
3. Create a simple 1 brick volume with transport type RDMA.
4. Try to start the volume.
5. Alternatively force start the volume.
6. Check volume status and search for AVCs in audit log.
7. Set SELinux to permissive mode.
8. Stop and start the volume.
9. Try FUSE mounting the volume.
10. Search for AVCs in audit log.

Actual results:
SELinux in Enforcing mode
-------------------------
volume start: <VOLNAME>: failed: Commit failed on localhost. Please check log file for details.
Mount failed. Please check the log file for more details.

SELinux in Permissive mode
-------------------------
volume start: <VOLNAME>: success
Mount was successful
AVCs listed in description were seen

Expected results:
Whether SELinux is in Enforcing or Permissive mode
volume start: <VOLNAME>: success
Mount should be successful
and no AVCs must be present in audit logs

Additional info:
Brick log snippet
-----------------
[2016-10-05 10:58:06.877872] W [MSGID: 103071] [rdma.c:4594:__gf_rdma_ctx_create] 0-rpc-transport/rdma: rdma_cm event channel creation failed [Permission denied]
[2016-10-05 10:58:06.877899] W [MSGID: 103055] [rdma.c:4901:init] 0-rdma.vol-server: Failed to initialize IB Device
[2016-10-05 10:58:06.877912] W [rpc-transport.c:359:rpc_transport_load] 0-rpc-transport: 'rdma' initialization failed
[2016-10-05 10:58:06.877973] W [rpcsvc.c:1627:rpcsvc_create_listener] 0-rpc-service: cannot create listener, initing the transport failed
[2016-10-05 10:58:06.877994] W [MSGID: 115045] [server.c:1074:init] 0-vol-server: creation of listener failed
[2016-10-05 10:58:06.878013] E [MSGID: 101019] [xlator.c:433:xlator_init] 0-vol-server: Initialization of volume 'vol-server' failed, review your volfile again
[2016-10-05 10:58:06.878025] E [graph.c:322:glusterfs_graph_init] 0-vol-server: initializing translator failed
[2016-10-05 10:58:06.878034] E [graph.c:661:glusterfs_graph_activate] 0-graph: init failed
[2016-10-05 10:58:06.878741] W [glusterfsd.c:1251:cleanup_and_exit] (-->/usr/sbin/glusterfsd(mgmt_getspec_cbk+0x331) [0x7f84dd72e891] -->/usr/sbin/glusterfsd(glusterfs_process_volfp+0x172) [0
x7f84dd729212] -->/usr/sbin/glusterfsd(cleanup_and_exit+0x6b) [0x7f84dd72878b] ) 0-: received signum (1), shutting down

Mount log snippet
-----------------
[2016-10-06 12:12:52.743521] W [MSGID: 103071] [rdma.c:1294:gf_rdma_cm_event_handler] 0-vol-client-0: cma event RDMA_CM_EVENT_REJECTED, error 28 (me:192.168.1.1:1022 peer:192.168.1.1:24008)
Comment 2 Mohammed Rafi KC 2016-10-18 06:22:39 UTC 
The fix depends on bug 1384488, since the bug is acked for rhel-7.3, setting devel ack for rhgs bug.
Comment 4 Anil Shah 2016-10-24 13:50:24 UTC 
Not seeing AVC denied messages after upgrading selinux policy to selinux-policy-3.13.1-102.el7_3.4

Hence marking this bug verified.
Comment 6 errata-xmlrpc 2017-03-23 06:08:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0486.html