Bug 1448090
| Summary: | [GANESHA] AVC denials for unreserved port observed while changing RQUOTA port in ganesha.conf file | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Manisha Saini <msaini> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.3 | CC: | amukherj, asrivast, fkrska, jthottan, lvrabec, mgrepl, mmalik, msaini, pdhange, plautrba, pvrabec, rhs-bugs, rnalakka, skoduri, ssekidde, storage-qa-internal | |
| Target Milestone: | pre-dev-freeze | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1450038 1455236 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 15:26:23 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1450038, 1455236 | |||
On setting setsebool -P nis_enabled on ,No AVC's related to unreserved port were observed. And on restarting nfs-ganesha service, the ganesha process came up on node. I assumed that ganesha.conf file uses a non-default value of Rquota_Port.
Following SELinux denial appears in permissive mode:
----
type=PROCTITLE msg=audit(05/17/2017 11:27:07.835:826) : proctitle=bash -c nc -u -6 -l ::1 8750
type=SOCKADDR msg=audit(05/17/2017 11:27:07.835:826) : saddr={ fam=inet6 laddr=::1 lport=8750 }
type=SYSCALL msg=audit(05/17/2017 11:27:07.835:826) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x658c60 a2=0x80 a3=0x7ffdad5b9440 items=0 ppid=1707 pid=5447 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=nc exe=/usr/bin/ncat subj=system_u:system_r:ganesha_t:s0 key=(null)
type=AVC msg=audit(05/17/2017 11:27:07.835:826) : avc: denied { name_bind } for pid=5447 comm=nc src=8750 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1
----
Using a fake reproducer:
# runcon system_u:system_r:ganesha_t:s0 bash -c 'nc -u -6 -l ::1 8750'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |
Description of problem: Due to some gluster process using Rquota_Port 875,ganesha service failed to come up after reboot.So if the Rquota_Port is changed in ganesha.conf file,AVC's denials were observed in audit.log Version-Release number of selected component (if applicable): # rpm -qa | grep selinux selinux-policy-targeted-3.13.1-102.el7.noarch libselinux-utils-2.5-6.el7.x86_64 libselinux-2.5-6.el7.x86_64 libselinux-python-2.5-6.el7.x86_64 selinux-policy-3.13.1-102.el7.noarch glusterfs-ganesha-3.8.4-24.el7rhgs.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 (Maipo) How reproducible: Steps to Reproduce: 1.Create 8 node ganesha cluster. 2.Create volume.Enable ganesha on it. 3.Mount the volume to client and run IO's. 4.Reboot one of the node Actual results: On rebooted node ganesha service failed to come up due to Rquota bind issue (as the 875 port which is there for RQUOTA is being used by some other gluster process). After changing the RQUOTA_port to 8750 in ganesha.conf,AVC denials were observed in audit.log Expected results: No AVC denials should be seen. Additional info: # tailf /var/log/ganesha.log 04/05/2017 18:58:50 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] init_server_pkgs :NFS STARTUP :EVENT :ID Mapper successfully initialized. 04/05/2017 18:58:50 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] glusterfs_create_export :FSAL :EVENT :Volume ganesha1 exported at : '/' 04/05/2017 18:58:57 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] glusterfs_create_export :FSAL :EVENT :Volume ganesha2 exported at : '/' 04/05/2017 18:59:03 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] glusterfs_create_export :FSAL :EVENT :Volume ganesha3 exported at : '/' 04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] lower_my_caps :NFS STARTUP :EVENT :CAP_SYS_RESOURCE was successfully removed for proper quota management in FSAL 04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] lower_my_caps :NFS STARTUP :EVENT :currenty set capabilities are: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap+ep 04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] Bind_sockets_V6 :DISP :WARN :Cannot bind RQUOTA tcp6 socket, error 98 (Address already in use) 04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] Bind_sockets :DISP :FATAL :Error binding to V6 interface. Cannot continue. 04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] unregister_fsal :FSAL :CRIT :Unregister FSAL GLUSTER with non-zero refcount=3 04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] glusterfs_unload :FSAL :CRIT :FSAL Gluster unable to unload. Dying ... #/var/log/audit/audit.log type=AVC msg=audit(1493900430.337:1467): avc: denied { name_bind } for pid=28137 comm="ganesha.nfsd" src=8751 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket type=AVC msg=audit(1493900510.810:1481): avc: denied { name_bind } for pid=28253 comm="ganesha.nfsd" src=8751 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket According to comment #1 of https://bugzilla.redhat.com/show_bug.cgi?id=1357508, this issue seems to be fixed in Rhel 7.3