| Summary: | [RHEL7] SELinux prevents starting of RDMA transport type volumes | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Raghavendra Talur <rtalur> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | |
| Priority: | high | |||
| Version: | 7.2 | CC: | anoopcs, lvrabec, mgrepl, mjahoda, mkolaja, mmalik, plautrba, pvrabec, rcyriac, rhs-bugs, rkavunga, rtalur, rwheeler, snagar, ssekidde, storage-qa-internal | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-105.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, the SELinux policy prevented the GlusterFS volumes configurated for the Remote Direct Memory Access (RDMA) transport from starting. With this update, a patch has been applied that fixes this bug, and the SELinux denial no longer occurs in the described situation.
|
Story Points: | --- | |
| Clone Of: | 1382345 | |||
| : | 1386620 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 15:15:11 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1386620 | |||
Hi Miroslav, With the local policy provided in Comment #1, I could create, start and fuse mount RDMA transport type GlusterFS volumes and AVCs from bug description are no longer seen. (In reply to Anoop C S from comment #5) > Hi Miroslav, > > With the local policy provided in Comment #1, I could create, start and fuse > mount RDMA transport type GlusterFS volumes and AVCs from bug description > are no longer seen. Great. Thank you for testing. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |
Here is a workaround until an official fix becomes available: # cat glusterfs-rdma.te policy_module(glusterfs-rdma, 1.0) require { type glusterd_t; type infiniband_device_t; class capability { ipc_lock }; class chr_file { getattr open read write }; } allow glusterd_t glusterd_t : capability { ipc_lock }; allow glusterd_t infiniband_device_t : chr_file { getattr open read write }; # make -f /usr/share/selinux/devel/Makefile Compiling targeted glusterfs-rdma module /usr/bin/checkmodule: loading policy configuration from tmp/glusterfs-rdma.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/glusterfs-rdma.mod Creating targeted glusterfs-rdma.pp policy package rm tmp/glusterfs-rdma.mod.fc tmp/glusterfs-rdma.mod # semodule -i glusterfs-rdma.pp # The Makefile comes from selinux-policy-devel package.