Bug 1468575

Summary: [GANESHA] Unable to export the volume via ganesha due to selinux denied AVC's
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Manisha Saini <msaini>
Component: nfs-ganeshaAssignee: Kaleb KEITHLEY <kkeithle>
Status: CLOSED CURRENTRELEASE QA Contact: Manisha Saini <msaini>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: rhgs-3.3CC: amukherj, dang, jthottan, kkeithle, rcyriac, rhinduja, rhs-bugs, skoduri, storage-qa-internal
Target Milestone: ---   
Target Release: RHGS 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-166.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1468581 1468582 (view as bug list) Environment:
Last Closed: 2017-09-25 11:22:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1468581    
Bug Blocks: 1417151    

Description Manisha Saini 2017-07-07 12:30:50 UTC 
Description of problem:

Unable to export the volume via ganesha due to selinux denies AVC 

Version-Release number of selected component (if applicable):
# rpm -qa | grep ganesha
nfs-ganesha-gluster-2.4.4-10.el7rhgs.x86_64
nfs-ganesha-debuginfo-2.4.4-10.el7rhgs.x86_64
glusterfs-ganesha-3.8.4-31.el7rhgs.x86_64
nfs-ganesha-2.4.4-10.el7rhgs.x86_64


How reproducible:
Consistently

Steps to Reproduce:
1.Create a 4 node ganesha cluster with selinux in permissive mode because of BZ 1466144
2.Set selinux to Enforcing mode.
3.Create and start an dist-replicate volume
4.Enable nfs-ganesha on the volume

Actual results:

Volume fails to get exported via ganesha because of selinux AVC observed in audit.log

type=USER_AVC msg=audit(07/22/2017 01:40:46.416:1226) : pid=920 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.313 spid=3131 tpid=5917 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
type=USER_AVC msg=audit(07/07/2017 15:43:01.925:2285) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
type=USER_AVC msg=audit(07/07/2017 15:44:01.269:2290) : pid=926 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=17830 tpid=2324 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:ganesha_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 

Expected results:
Volume should be exported successfully

Additional info:
Comment 3 Manisha Saini 2017-07-07 12:46:09 UTC 
# rpm -qa | grep selinux
libselinux-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-164.el7.noarch
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
libselinux-2.5-11.el7.i686
selinux-policy-3.13.1-164.el7.noarch
Comment 7 Manisha Saini 2017-07-14 13:19:53 UTC 
Verified this bug on-

# rpm -qa | grep selinux
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch
libselinux-2.5-11.el7.i686
selinux-policy-3.13.1-166.el7.noarch


# rpm -qa | grep ganesha
nfs-ganesha-gluster-2.4.4-15.el7rhgs.x86_64
nfs-ganesha-2.4.4-15.el7rhgs.x86_64
glusterfs-ganesha-3.8.4-33.el7rhgs.x86_64


No AVC's are being observed while exporting the volume.Volume is exported successfully when selinux is in Enforcing mode.Moving this bug to verified state.