Previously, the SELinux policy prevented the GlusterFS volumes configurated for the Remote Direct Memory Access (RDMA) transport from starting. With this update, a patch has been applied that fixes this bug, and the SELinux denial no longer occurs in the described situation.
Hi Miroslav,
With the local policy provided in Comment #1, I could create, start and fuse mount RDMA transport type GlusterFS volumes and AVCs from bug description are no longer seen.
(In reply to Anoop C S from comment #5)
> Hi Miroslav,
>
> With the local policy provided in Comment #1, I could create, start and fuse
> mount RDMA transport type GlusterFS volumes and AVCs from bug description
> are no longer seen.
Great. Thank you for testing.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:1861
Here is a workaround until an official fix becomes available: # cat glusterfs-rdma.te policy_module(glusterfs-rdma, 1.0) require { type glusterd_t; type infiniband_device_t; class capability { ipc_lock }; class chr_file { getattr open read write }; } allow glusterd_t glusterd_t : capability { ipc_lock }; allow glusterd_t infiniband_device_t : chr_file { getattr open read write }; # make -f /usr/share/selinux/devel/Makefile Compiling targeted glusterfs-rdma module /usr/bin/checkmodule: loading policy configuration from tmp/glusterfs-rdma.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/glusterfs-rdma.mod Creating targeted glusterfs-rdma.pp policy package rm tmp/glusterfs-rdma.mod.fc tmp/glusterfs-rdma.mod # semodule -i glusterfs-rdma.pp # The Makefile comes from selinux-policy-devel package.