Bug 1818783

Summary: [RHEL8] [SELinux] CTDB is unhealthy with selinux set to Enforcing in RHEL-8.2
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Vivek Das <vdas>
Component: sambaAssignee: Anoop C S <anoopcs>
Status: CLOSED ERRATA QA Contact: Vivek Das <vdas>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rhgs-3.5CC: anoopcs, gdeschner, rhs-smb, smaitra
Target Milestone: ---Keywords: TestBlocker, TestBlockerForLayeredProduct, ZStream
Target Release: RHGS 3.5.z Batch Update 2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1819243 (view as bug list) Environment:
Last Closed: 2020-06-16 05:46:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1819243, 1821226    
Bug Blocks: 1786127    

Description Vivek Das 2020-03-30 11:24:36 UTC 
Description of problem:
ctdb status is UNHEALTHY with below avc denied messages

type=AVC msg=audit(1585585164.848:7647): avc:  denied  { map } for  pid=104579 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0

type=AVC msg=audit(1585585164.848:7648): avc:  denied  { map } for  pid=104579 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0

With permissive mode ctdb is healthy.

Version-Release number of selected component (if applicable):
samba-4.11.6-105.el8rhgs.x86_64
RHEL-8.2
selinux-policy-3.14.3-40.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Setup RHGS-Samba in RHEL-8.2
2. Start CTDB
3.

Actual results:
ctdb status is unhealthy

Expected results:
ctdb status should be healthy

Additional info:
AVC denial messages
----------------------
type=AVC msg=audit(1585585428.380:7993): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/persistent/secrets.tdb.3" dev="dm-0" ino=69818 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1585585428.383:7994): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1585585428.383:7995): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1585585428.392:7996): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/persistent/secrets.tdb.3" dev="dm-0" ino=69818 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1585585428.392:7997): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1585585428.392:7998): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
Comment 12 errata-xmlrpc 2020-06-16 05:46:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2574