| Summary: | [RHEL6] SELinux prevents FUSE mounting of RDMA transport type volumes | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Raghavendra Talur <rtalur> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | |
| Priority: | high | |||
| Version: | 6.8 | CC: | anoopcs, dwalsh, lvrabec, mgrepl, mjahoda, mmalik, plautrba, pvrabec, rcyriac, rhs-bugs, rkavunga, rwheeler, salmy, ssekidde, storage-qa-internal | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Previously, the SELinux policy prevented the GlusterFS volumes configured for the Remote Direct Memory Access (RDMA) transport from the File System in User Space (FUSE) mounting. With this update, a patch has been applied that fixes this bug, and the SELinux denial no longer occurs in the described situation.
|
Story Points: | --- | |
| Clone Of: | 1382319 | |||
| : | 1388582 (view as bug list) | Environment: | ||
| Last Closed: | 2017-03-21 09:47:55 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1388582 | |||
Hi Milos, With the local policy provided in Comment #1, I could create, start and fuse mount RDMA transport type GlusterFS volumes and AVCs from bug description are no longer seen. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0627.html |
Here is a workaround until an official fix becomes available: # cat glusterfs-rdma.te policy_module(glusterfs-rdma, 1.0) require { type glusterd_t; class capability { ipc_lock }; } allow glusterd_t glusterd_t : capability { ipc_lock }; # make -f /usr/share/selinux/devel/Makefile Compiling targeted glusterfs-rdma module /usr/bin/checkmodule: loading policy configuration from tmp/glusterfs-rdma.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/glusterfs-rdma.mod Creating targeted glusterfs-rdma.pp policy package rm tmp/glusterfs-rdma.mod tmp/glusterfs-rdma.mod.fc # semodule -i glusterfs-rdma.pp # The Makefile comes from selinux-policy package.