Bug 1638257
| Summary: | selinux: ganesha.nfsd run in nfsd_t [rhel-7.6.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | high | ||
| Version: | 7.5 | CC: | dwalsh, jijoy, kdreyer, kkeithle, lmiksik, lvrabec, mgrepl, mjahoda, mmalik, msaini, mthacker, plautrba, salmy, sanandpa, skoduri, ssekidde, toneata, vmojzis, zpytela |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-229.el7_6.5 | Doc Type: | Bug Fix |
| Doc Text: |
If this bug requires documentation, please select an appropriate Doc Type value.
|
Story Points: | --- |
| Clone Of: | 1511489 | Environment: | |
| Last Closed: | 2018-10-30 12:21:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1511489 | ||
| Bug Blocks: | 1637783 | ||
|
Description
Oneata Mircea Teodor
2018-10-11 08:27:48 UTC
change to nfs-ganesha to move selinux to a nfs-ganesha-selinux sub-package for Fedora 30 and RHEL 8. https://review.gerrithub.io/c/ffilz/nfs-ganesha/+/429053 Lukas, when we install rhgs-3.4.1 on rhel7.6 there is no ganesha module listed (because there isn't one, ganesha runs in nfsd_t.) Then when we add selinux-policy-3.13.1-229.el7_6.3 and run `semodule -l` it's not listed. We have to manually run `semodule -e ganesha` and then it is listed. Is that expected behavior, or the install/update of selinux-policy-3.13.1-229.el7_6.3 should do that automatically? Thanks, Hi, Could you try it but with this build? https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=781399 Try to skip using: selinux-policy-3.13.1-229.el7_6.3, update directly from 229.el7 to 229.el7_6.5 Let me know if that helps. Lukas. Lukas, to conclude the above- With selinux build "selinux-policy-3.13.1-229.el7_6.5.noarch", since ganesha service is not coming up,this is a blocker for Ganesha RHGS 3.4.1 release. We did some testing with "selinux-policy-3.13.1-229.el7_6.3.noarch" as well. With this build,ganesha module is not loaded by default as mention in comment #16.But by running the below steps manually, ganesha service comes up and refresh-config was passing. But We also saw few failures in posix compliance test when ran on ganesha mount with this selinux build. ====== # semodule -e ganesha # restorecon -Rv / # semanage boolean -m --on ganesha_use_fusefs Here are the two options which we can look forward- 1. Ether fix the ganesha service failure issue with "selinux-policy-3.13.1-229.el7_6.5.noarch" and provide the new package with all the fixes for us to unblock our RHGS 3.4.1 Ganesha testing. 2. Or to go with "selinux-policy-3.13.1-229.el7_6.3.noarch" package and do the steps to load ganesha module manually.And fix posix compliance test failures which we are getting with this build. Rquota port by default is 875. This can be configured to any port number by user depending upon condition that it should be any non-reserved port and is not in use by anyother process in system. # semanage port -a -t mountd_port_t -p udp 8755 Not very sure with above command,but are we again restricting it to only work with 8755 port? Hi Lukas, Are these steps something new with this build "selinux-policy-3.13.1-229.el7_6.5.noarch"? Or these procedure has to be followed with existing selinux also if we are not using the default port ? # semanage port -a -t mountd_port_t -p udp 8755 # semanage port -a -t mountd_port_t -p tcp 8755 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3340 |