Bug 1411215
| Summary: | CTDB NFS: With CTDB restart there are SELinux AVC's seen without any functional impact | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | surabhi <sbhaloth> |
| Component: | gluster-nfs | Assignee: | Jiffin <jthottan> |
| Status: | CLOSED WONTFIX | QA Contact: | Manisha Saini <msaini> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rhgs-3.2 | CC: | msaini, rcyriac, rhs-bugs, sanandpa, skoduri, storage-qa-internal |
| Target Milestone: | --- | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-11-19 04:14:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
From comment #0: '/bin/systemctl stop nfslock.service' - this should not be done. Gluster/NFS does not use systemd to start the rpc.statd daemon. The process should probably get killed when Gluster/NFS is stopped though. The openat() syscall should probably be allowed though, but only when Gluster/NFS has started rpc.statd and rpc.statd tries openat(). This should be reported against the component that provides the ctdb shell script for monitoring/starting/stopping/... Gluster/NFS. |
Description of problem: ************************************* When CTDB is restarted there are SELinux AVC's seen but there are no functional issues seen. The failover also doesn't have any imapct.Raising a medium priority BZ for AVC's seen. type=USER_AVC msg=audit(01/09/2017 12:06:11.143:3039632352) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=root uid=root gid=root path=/usr/lib/systemd/system/rpc-statd.service cmdline="/bin/systemctl stop nfslock.service" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:rpcd_unit_file_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/09/2017 12:06:11.143:3039632353) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=root uid=root gid=root path=/usr/lib/systemd/system/rpc-statd.service cmdline="/bin/systemctl stop nfslock.service" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:rpcd_unit_file_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/09/2017 12:06:42.319:3039632356) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=root uid=root gid=root path=/usr/lib/systemd/system/rpc-statd.service cmdline="/bin/systemctl start nfslock.service" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:rpcd_unit_file_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=SYSCALL msg=audit(01/09/2017 12:06:46.751:3039632360) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x1af56f0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=574 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=statd-callout exe=/usr/bin/bash subj=system_u:system_r:ctdbd_t:s0 key=(null) type=AVC msg=audit(01/09/2017 12:06:46.751:3039632360) : avc: denied { dac_override } for pid=574 comm=statd-callout capability=dac_override scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=capability Version-Release number of selected component (if applicable): ctdb-4.4.6-2.el7rhgs.x86_64 glusterfs-3.8.4-10.el7rhgs.x86_64 selinux-policy-3.13.1-102.el7_3.11.noarch How reproducible: Always Steps to Reproduce: 1.CTBD setup with nfs 2.Restart ctdb services 3.Observer audit logs Actual results: SELinux AVC's seen in audit logs . Expected results: There should not be any AVC's. Additional info: Since CTDB is not monitoring Kernel NFS (disabled) the statd-callout script trying to start stop and status for kernel nfs and it does not affect the functionality of RHGS CTDB nfs setup.