Bug 1544824

Summary: [Ganesha] : Cluster creation fails on selinux enabled/enforced nodes.
Product: Red Hat Gluster Storage Reporter: Ambarish <asoman>
Component: nfs-ganeshaAssignee: Kaleb KEITHLEY <kkeithle>
Status: CLOSED ERRATA QA Contact: Manisha Saini <msaini>
Severity: high Docs Contact:
Priority: unspecified    
Version: rhgs-3.4CC: amukherj, dang, ffilz, jthottan, kkeithle, mbenjamin, msaini, rhinduja, rhs-bugs, storage-qa-internal
Target Milestone: ---Keywords: Regression
Target Release: RHGS 3.4.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: glusterfs-3.12.2-5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-04 06:42:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1544852    
Bug Blocks: 1503137    

Description Ambarish 2018-02-13 15:05:28 UTC
Description of problem:
-----------------------

gluster nfs-ganesha enable fails to create a Ganesha HA cluster on latest RHEL 7.5 Snapshot 3.

There's an AVC denial when I try to create a cluster :

type=AVC msg=audit(1518517089.008:203): avc:  denied  { search } for  pid=14039 comm="ganesha.nfsd" name="/" dev="fuse" ino=1 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir



From ganesha.log :

13/02/2018 05:18:09 : epoch d6150000 : gqas004.sbu.lab.eng.bos.redhat.com : ganesha.nfsd-14038[main] main :MAIN :EVENT :ganesha.nfsd Starting: Ganesha Version 2.5.5
13/02/2018 05:18:09 : epoch d6150000 : gqas004.sbu.lab.eng.bos.redhat.com : ganesha.nfsd-14039[main] main :NFS STARTUP :CRIT :Error (token scan) while parsing (/etc/ganesha/ganesha.conf)
13/02/2018 05:18:09 : epoch d6150000 : gqas004.sbu.lab.eng.bos.redhat.com : ganesha.nfsd-14039[main] config_errs_to_log :CONFIG :CRIT :Config File (<unknown file>:0): new file (/etc/ganesha/ganesha.conf) open error (Permission denied), ignored
13/02/2018 05:18:09 : epoch d6150000 : gqas004.sbu.lab.eng.bos.redhat.com : ganesha.nfsd-14039[main] main :NFS STARTUP :FATAL :Fatal errors.  Server exiting...


Version-Release number of selected component (if applicable):
-------------------------------------------------------------

[root@gqas004 ~]# rpm -qa|grep ganesha
glusterfs-ganesha-3.12.2-3.el7rhgs.x86_64
nfs-ganesha-gluster-2.5.5-2.el7rhgs.x86_64

[root@gqas004 ~]# uname -r
3.10.0-845.el7.x86_64

[root@gqas004 ~]# rpm -qa|grep selinux
selinux-policy-targeted-3.13.1-189.el7.noarch
libselinux-2.5-12.el7.x86_64
libselinux-utils-2.5-12.el7.x86_64
libselinux-python-2.5-12.el7.x86_64
selinux-policy-3.13.1-189.el7.noarch




How reproducible:
------------------

2/2 (Manisha's and my setup)

Comment 2 Ambarish 2018-02-13 15:07:59 UTC
On a fresh install (IIRC) ganesha_use_fusefs is supposed to be "on".

For some reason , we do no see this option as "on":

[root@gqas004 ~]# getsebool  ganesha_use_fusefs
ganesha_use_fusefs --> off

Comment 3 Ambarish 2018-02-13 15:08:50 UTC
**Work Around** :


Set the boolean manually :

[root@gqas004 ~]# setsebool -P ganesha_use_fusefs on

[root@gqas004 ~]# getsebool  ganesha_use_fusefs
ganesha_use_fusefs --> on
[root@gqas004 ~]# 

Cluster creation is successful post this.

Comment 9 Manisha Saini 2018-04-03 05:43:08 UTC
Verified this BZ with-

# rpm -qa | grep ganesha
nfs-ganesha-2.5.5-3.el7rhgs.x86_64
nfs-ganesha-gluster-2.5.5-3.el7rhgs.x86_64
glusterfs-ganesha-3.12.2-6.el7rhgs.x86_64


On fresh installation of ganesha packages in 3.4,ganesha_use_fusefs is ON by default.Ganesha cluster creation is successful.

# semanage boolean -l | grep ganesha
ganesha_use_fusefs             (on   ,   on)  Allow ganesha to use fusefs


Moving this BZ to verified state.

Comment 11 errata-xmlrpc 2018-09-04 06:42:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2607

Comment 12 Manisha Saini 2018-09-24 07:18:11 UTC
Setting qe_test_coverage + with no testcase ID,since its been covered as part of every Ganesha test case