Bug 1753626
Summary: | Unable to mount glusterfs at boot when specifying security context | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Deepu K S <dkochuka> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.0 | CC: | alchan, dkochuka, lvrabec, mmalik, ndevos, plautrba, qe-baseos-security, ssekidde, suzushrestha, vmojzis, zpytela |
Target Milestone: | rc | Keywords: | Patch, Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1749898 | Environment: | |
Last Closed: | 2020-11-04 01:55:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1749898 | ||
Bug Blocks: |
Description
Deepu K S
2019-09-19 13:19:19 UTC
The errors are same as in RHEL 7. /var/log/glusterfs/var-lib-pulp-content.log [2019-09-19 12:53:56.124767] I [MSGID: 100030] [glusterfsd.c:2571:main] 0-/usr/sbin/glusterfs: Started running /usr/sbin/glusterfs version 3.12.2 (args: /usr/sbin/glusterfs --fuse-mountopts=context=""system_u:object_r:httpd_sys_rw_content_t:s0"" --volfile-server=gluster-1 --volfile-id=dk-dr-v3 --fuse-mountopts=context=""system_u:object_r:httpd_sys_rw_content_t:s0"" --subdir-mount=/dk /var/lib/pulp/content) [2019-09-19 12:53:56.179180] E [mount.c:444:fuse_mount_sys] 0-glusterfs-fuse: ret = -1 [2019-09-19 12:53:56.179282] I [mount.c:489:gf_fuse_mount] 0-glusterfs-fuse: direct mount failed (Permission denied) errno 13 [2019-09-19 12:53:56.179293] E [mount.c:502:gf_fuse_mount] 0-glusterfs-fuse: mount of gluster-1:dk-dr-v3/dk to /var/lib/pulp/content (default_permissions,context=""system_u:object_r:httpd_sys_rw_content_t:s0"",allow_other,max_read=131072) failed gluster-1:/dk-dr-v3/dk /var/lib/pulp/content/ glusterfs defaults,_netdev,context="system_u:object_r:httpd_sys_rw_content_t:s0" 0 0 Red Hat Enterprise Linux release 8.0 (Ootpa) The package versions were; glusterfs-3.12.2-40.2.el8.x86_64 glusterfs-libs-3.12.2-40.2.el8.x86_64 glusterfs-client-xlators-3.12.2-40.2.el8.x86_64 glusterfs-fuse-3.12.2-40.2.el8.x86_64 selinux-policy-targeted-3.14.1-61.el8.noarch selinux-policy-3.14.1-61.el8.noarch Hi, Could you please put SELinux to permissive mode: # setenforce 0 THen reproduce your issue .. .. .. and attach output of: # ausearch -m AVc -ts boot Thanks, Lukas. (In reply to Lukas Vrabec from comment #2) > Hi, > > Could you please put SELinux to permissive mode: > > # setenforce 0 > > THen reproduce your issue > .. > .. > .. > > and attach output of: > > # ausearch -m AVc -ts boot > > Thanks, > Lukas. # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 # ausearch -m AVc -ts boot ---- time->Mon Sep 23 20:22:43 2019 type=PROCTITLE msg=audit(1569250363.317:31): proctitle=2F7573722F7362696E2F676C75737465726673002D2D667573652D6D6F756E746F7074733D636F6E746578743D222273797374656D5F753A6F626A6563745F723A68747470645F7379735F72775F636F6E74656E745F743A73302222002D2D766F6C66696C652D7365727665723D676C75737465722D31002D2D766F6C66696C type=SYSCALL msg=audit(1569250363.317:31): arch=c000003e syscall=165 success=yes exit=0 a0=55e788b315f0 a1=55e788b31390 a2=7f3dd19d8eae a3=0 items=0 ppid=1270 pid=1275 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterfs" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1569250363.317:31): avc: denied { mount } for pid=1275 comm="glusterfs" name="/" dev="fuse" ino=1 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(1569250363.317:31): avc: denied { relabelfrom } for pid=1275 comm="glusterfs" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(1569250363.317:31): avc: denied { relabelto } for pid=1275 comm="glusterfs" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(1569250363.317:31): avc: denied { relabelfrom } for pid=1275 comm="glusterfs" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=filesystem permissive=1 Thanks. Hi Deepu, Is this real use case for glusterd users? Because if yes, we need to allow glusterd_t SELinux domain to relabel all files on the system, which is not ideal, but if it's behaviour of the product, we need to allow it. THanks, Lukas. (In reply to Lukas Vrabec from comment #4) > Hi Deepu, > > Is this real use case for glusterd users? Because if yes, we need to allow > glusterd_t SELinux domain to relabel all files on the system, which is not > ideal, but if it's behaviour of the product, we need to allow it. > > THanks, > Lukas. This is a case where Satellite Repository storage point is over gluster. i.e mounted on /var/lib/pulp/content . I believe the repository mount would require the context="system_u:object_r:httpd_sys_rw_content_t:s0" I haven't seen any other use cases. Is it part of some tutorial or documentation? THanks, Lukas. (In reply to Lukas Vrabec from comment #6) > Is it part of some tutorial or documentation? > > THanks, > Lukas. The satellite documentation says about SELinux Considerations for NFS Mount. https://access.redhat.com/documentation/en-us/red_hat_satellite/6.5/html-single/installing_satellite_server_from_a_connected_network/index#storage_requirements No explicit mention of gluster anywhere, but guidelines say about using XFS or any shared filesystem. https://docs.pulpproject.org/user-guide/scaling.html#clustering I'll confirm with my team on this. Keeping the needinfo on me. Hi Lukas, There's no direct mention of gluster in Satellite documentation, but there are users using it in their environment. On a general note, this should affect any httpd based web application that has content shared over gluster. Or simply any application directory which needs to have a specific SELinux context, with the data mounted from a gluster volume. Thanks. Deepu, I added fixes from Fedora. commit af4b32d6a17855e1a1dd15a11eb879b82347c6f7 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Thu Oct 17 12:57:37 2019 +0200 Allow Gluster mount client to mount files_type Gluster mount client should have same access like mount_t to mount and relabel all files_type types. @Lukas: I am using glusterfs, server 3.12, has this been resolved yet? its really painful to have multiple issues in gluster. I am also struggling right now to change context in gluster vols mounts, but as a workaround, I am maintaining context based different volumes(many mounts) which satisfy my current need but the inability of gluster to auto mount gluster vols mount(those containing selinux mount options) after reboot is painful. please let me know if there is some workaround. Hello all, Any feedbacks? waiting for a solution, please advice if any This commit needs to be backported: commit af4b32d6a17855e1a1dd15a11eb879b82347c6f7 Author: Lukas Vrabec <lvrabec> Date: Thu Oct 17 12:57:37 2019 +0200 Allow Gluster mount client to mount files_type Gluster mount client should have same access like mount_t to mount and relabel all files_type types. diff --git a/glusterd.te b/glusterd.te index 3dc332a31..92a92374d 100644 --- a/glusterd.te +++ b/glusterd.te @@ -183,7 +183,9 @@ fs_getattr_all_fs(glusterd_t) fs_getattr_all_dirs(glusterd_t) files_mounton_non_security(glusterd_t) - +files_relabel_all_file_type_fs(glusterd_t) +files_mount_all_file_type_fs(glusterd_t) +files_unmount_all_file_type_fs(glusterd_t) files_dontaudit_read_security_files(glusterd_t) files_dontaudit_list_security_dirs(glusterd_t) https://gitlab.cee.redhat.com/SELinux/selinux-policy/-/merge_requests/54/diffs?commit_id=5084c7021f2ab5003f9008d0b5abfc9f5a910d27commit 5084c7021f2ab5003f9008d0b5abfc9f5a910d27 (HEAD -> rhel8.3-contrib, origin/rhel8.3-contrib) Author: Lukas Vrabec <lvrabec> Date: Thu Oct 17 12:57:37 2019 +0200 Allow Gluster mount client to mount files_type Gluster mount client should have same access like mount_t to mount and relabel all files_type types. Resolves: rhbz#1753626 Also cleaning the needinfo flag. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4528 |