Bug 1404152
| Summary: | [SELinux] [Eventing]: gluster-eventsapi shows a traceback while adding a webhook | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Prasanth <pprakash> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | ||||
| Priority: | high | ||||||
| Version: | 7.3 | CC: | amukherj, avishwan, lvrabec, mgrepl, mjahoda, mmalik, plautrba, pprakash, pvrabec, rhinduja, sanandpa, ssekidde, vbellur | ||||
| Target Milestone: | rc | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-117.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: |
A missing SELinux rule was previously causing errors when adding a webhook using the gluster-eventsapi command. The rule to allow "glusterd_t" domain binds on glusterd UDP port has been added, and adding a webhook using gluster-eventsapi now works properly.
|
Story Points: | --- | ||||
| Clone Of: | 1379963 | ||||||
| : | 1408128 (view as bug list) | Environment: | |||||
| Last Closed: | 2017-08-01 15:17:42 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1404562, 1408128 | ||||||
| Attachments: |
|
||||||
|
Description
Prasanth
2016-12-13 08:34:31 UTC
audit.log.3:type=AVC msg=audit(1481527787.222:2133185): avc: denied { signal } for pid=11207 comm="python" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
After discussion with Prasanth, We found solution for this issue. We need to label following: /usr/libexec/glusterfs/peer_eventsapi.py usr/libexec/glusterfs/events/glustereventsd.py as glusterd_exec_t. To avoid running glustereventsd as unconfined_service_t. Created attachment 1231190 [details]
Local module
Adding local module for this issue. Please run
# semodule -i glusterd_local.cil
to active it.
Thanks.
Hi Lukas, I tried out the local attachment in my setup. But I am still able to see the same avc. Could you please go through the steps that I am following and advise if I am missing out anything. 1. Copy the content of the attachment to a file 'glusterd_local.cil' under /root of ALL the nodes of the cluster 2. 'semodule -i /root/glusterd_local.cil' on ALL the nodes of the cluster 3. 'restorecon -Rv /usr/libexec/glusterfs/peer_eventsapi.py; restorecon -Rv /usr/sbin/gluster-eventsapi; restorecon Rv /usr/libexec/glusterfs/events/glustereventsd.py; restorecon -Rv /usr/sbin/glustereventsd' on ALL the nodes of the cluster 4. Run the steps that caused the avc to appear Following step cannot work on RHEL-6, because CIL policy modules are not understood on RHEL<7.3: 2. 'semodule -i /root/glusterd_local.cil' on ALL the nodes of the cluster Please ignore comments #8 and #9. They should have been placed in BZ#1404562. After incorporating the local attachement, I'm facing a different avc denied, as pasted below, this time tclass=udp_socket
type=AVC msg=audit(1481871612.817:874221): avc: denied { name_bind } for pid=11854 comm="python" src=24009 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket
I stopped the glustereventsd service, stopped rsyslog, flushed audit logs, started rsyslog, and started glustereventsd service.
The status shows that it is running, but in the logs it says 'Permission denied'. When the avc logs were checked, I found the above mentioned avc.
Set the selinux to 'permissive mode' and then re-did the steps. This time, stopping and starting glustereventsd service went through without any errors.
Lukas, can you please advise the next step of action?
The cli logs are pasted below. Please note the 'permission denied' in the last line.
[root@dhcp47-60 audit]# systemctl stop glustereventsd
[root@dhcp47-60 audit]# systemctl start glustereventsd
[root@dhcp47-60 audit]# systemctl status glustereventsd
● glustereventsd.service - Gluster Events Notifier
Loaded: loaded (/usr/lib/systemd/system/glustereventsd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2016-12-16 12:25:59 IST; 10s ago
Process: 19145 ExecReload=/bin/kill -SIGUSR2 $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 21141 (python)
CGroup: /system.slice/glustereventsd.service
├─21141 python /usr/sbin/glustereventsd --pid-file /var/run/glustereventsd.pid
└─21142 python /usr/sbin/glustereventsd --pid-file /var/run/glustereventsd.pid
Dec 16 12:25:59 dhcp47-60.lab.eng.blr.redhat.com systemd[1]: Started Gluster Events Notifier.
Dec 16 12:25:59 dhcp47-60.lab.eng.blr.redhat.com systemd[1]: Starting Gluster Events Notifier...
Dec 16 12:25:59 dhcp47-60.lab.eng.blr.redhat.com glustereventsd[21141]: Failed to start Eventsd: [Errno 13] Permission denied
[root@dhcp47-60 audit]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |