Bug 1399698
| Summary: | AVCs seen when ganesha cluster nodes are rebooted | |||
|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Arthy Loganathan <aloganat> | |
| Component: | common-ha | Assignee: | Kaleb KEITHLEY <kkeithle> | |
| Status: | CLOSED ERRATA | QA Contact: | Arthy Loganathan <aloganat> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | rhgs-3.2 | CC: | aloganat, amukherj, dang, ffilz, jthottan, kkeithle, mbenjamin, mgrepl, mmalik, msaini, rcyriac, rhinduja, rhs-bugs, sbhaloth, skoduri, sraj, storage-qa-internal | |
| Target Milestone: | --- | |||
| Target Release: | RHGS 3.2.0 | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-102.el7_3.12 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1400493 (view as bug list) | Environment: | ||
| Last Closed: | 2017-03-23 05:52:24 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1408125 | |||
| Bug Blocks: | 1351528 | |||
Does this workaround help? # cat bz1399698.te policy_module(bz1399698,1.0) require { type glusterd_t; type init_t; class service { stop }; } allow glusterd_t init_t : service { stop }; # make -f /usr/share/selinux/devel/Makefile Compiling targeted bz1399698 module /usr/bin/checkmodule: loading policy configuration from tmp/bz1399698.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/bz1399698.mod Creating targeted bz1399698.pp policy package rm tmp/bz1399698.mod.fc tmp/bz1399698.mod # semodule -i bz1399698.pp # The /usr/share/selinux/devel/Makefile comes from selinux-policy-devel package. With this local fix suggested, I have tried running the test and the issue is not seen. However, I assume functionality is not getting impacted with this AVC and its seen intermittently. Checked on rhel 6.8 [root@dhcp37-156 core]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.8 (Santiago) [root@dhcp37-156 core]# rpm -qa | grep selinux libselinux-2.0.94-7.el6.x86_64 selinux-policy-targeted-3.7.19-292.el6_8.2.noarch libselinux-python-2.0.94-7.el6.x86_64 libselinux-utils-2.0.94-7.el6.x86_64 selinux-policy-3.7.19-292.el6_8.2.noarch No AVC's were observed on reboot of 2 ganesha node out of 4 node Verified the fix in build and no AVCs are seen while rebooting the nodes. nfs-ganesha-gluster-2.4.1-6.el7rhgs.x86_64 nfs-ganesha-2.4.1-6.el7rhgs.x86_64 glusterfs-ganesha-3.8.4-12.el7rhgs.x86_64 selinux-policy-3.13.1-102.el7_3.13.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0486.html |
Description of problem: On a 4 node ganesha cluster, when 2 nodes are rebooted the following AVC is seen. type=USER_AVC msg=audit(11/29/2016 17:09:05.621:5138) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=root uid=root gid=root cmdline="/bin/systemctl stop corosync-qdevice.service" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=? Version-Release number of selected component (if applicable): [root@dhcp46-42 ~]# rpm -qa | grep ganesha glusterfs-ganesha-3.8.4-5.el7rhgs.x86_64 nfs-ganesha-gluster-2.4.1-1.el7rhgs.x86_64 [root@dhcp46-42 ~]# rpm -qa | grep selinux libselinux-utils-2.5-6.el7.x86_64 libselinux-2.5-6.el7.x86_64 libselinux-python-2.5-6.el7.x86_64 selinux-policy-3.13.1-102.el7_3.4.noarch selinux-policy-targeted-3.13.1-102.el7_3.4.noarch How reproducible: Intermittent Steps to Reproduce: 1. Create a 4 node ganesha cluster. 2. Reboot 2 nodes in the cluster so that pacemaker quorum will be lost and starts stopping the services in cluster on all the nodes. Actual results: AVCs are seen. type=USER_AVC msg=audit(11/29/2016 17:09:05.621:5138) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=root uid=root gid=root cmdline="/bin/systemctl stop corosync-qdevice.service" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=? Expected results: No AVCs should be seen. Additional info: [root@node1~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today ---- type=USER_AVC msg=audit(11/29/2016 11:19:08.103:646) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=root uid=root gid=root cmdline="/bin/systemctl stop corosync-qdevice.service" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(11/29/2016 17:09:05.621:5138) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=root uid=root gid=root cmdline="/bin/systemctl stop corosync-qdevice.service" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'