Bug 1955461

Summary: RHVH 4.4.6: There are gluster related AVC denied errors in audit.log after upgrade
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Sandro Bonazzola <sbonazzo>
Component: selinuxAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact: SATHEESARAN <sasundar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rhgs-3.5CC: godas, lveyde, peyu, pprakash, rcyriac, rhs-bugs, sasundar, sheggodu
Target Milestone: ---Keywords: Regression, ZStream
Target Release: RHGS 3.5.z Batch Update 7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-05 07:56:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1955415, 2020997, 2111410    

Description Sandro Bonazzola 2021-04-30 07:43:23 UTC 
This bug was initially created as a copy of Bug #1955415

I am copying this bug because: glusterd related AVC denials are usually handled within glusterfs-selinux package.



Description of problem:
After RHVH is upgraded to the latest 4.4.6, there are AVC denied errors in audit.log

Version-Release number of selected component (if applicable):
RHVM: 4.4.6.5-0.17.el8ev
RHVH: redhat-virtualization-host-4.4.6-20210426.0.el8_4
RHGS: glusterfs-selinux-1.0-4.el8rhgs.noarch
RHEL: selinux-policy-3.14.3-67.el8.noarch , selinux-policy-targeted-3.14.3-67.el8.noarch


How reproducible
100%

Steps to Reproduce:
1. Install RHVH-4.4-20210331.0-RHVH-x86_64-dvd1.iso
2. Add host to RHVM
3. Login to host, setup local repos and point to "redhat-virtualization-host-4.4.6-20210426.0.el8_4"
4. Remove audit.log before upgrade
   # mv /var/log/audit/audit.log /var/log/audit/audit.log.bak
5. Upgrade the host via RHVM
6. Check avc denied info in audit.log after upgrade
   # grep 'avc:  denied' /var/log/audit/audit.log

Actual results:
There are AVC denied errors in audit.log
~~~~~~
# grep 'avc:  denied' /var/log/audit/audit.log
type=AVC msg=audit(1619768225.841:76): avc:  denied  { create } for  pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1619768225.841:77): avc:  denied  { create } for  pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1619753841.383:100): avc:  denied  { write } for  pid=5708 comm="NetworkManager" path="/var/tmp/dracut.bN9njs/systemd-cat" dev="dm-8" ino=12583537 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0
~~~~~~

Expected results:
After upgrade, there is no AVC denied error in audit.log 

Additional info:
Comment 14 SATHEESARAN 2021-05-19 13:20:45 UTC 
I have tested the same with RHVH 4.4.6.
This happens when updating from RHVH 4.4.5 to 4.4.6, but the same AVCs are not seen with 
the fresh installation and deployment of RHHI-V 1.8.5 on RHVH 4.4.6
Comment 15 SATHEESARAN 2021-05-19 13:21:31 UTC 
Again there are no functional loss seen with these AVCs
Comment 27 SATHEESARAN 2021-08-24 02:40:41 UTC 
Tested with glusterfs-selinux-1.0-5.el8rhgs with RHVH 4.4.8 interim build (RHVH-4.4-20210818.0-RHVH-x86_64-dvd1.iso)
There are no AVC messages seen related to RDMA when restarting glusterd.

This was verified with the steps:
1. Installed RHVH 4.4.5 and everytime restarting glusterd introduced AVC denials for RDMA
<snip>
type=AVC msg=audit(1629772417.256:33): avc:  denied  { create } for  pid=1182 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1629772417.256:34): avc:  denied  { create } for  pid=1182 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
</snip>

2. Upgraded the RHVH 4.4.5 to RHVH 4.4.8 and installed glusterfs-selinux-1.0-5.el8rhgs, rebooted the node.
After the RHVH node is up, restarting glusterd had no AVC denials reported.
Comment 30 errata-xmlrpc 2021-10-05 07:56:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHGS 3.5.z Batch Update 5 glusterfs bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3729