Bug 855286
Summary: | SELinux is preventing /usr/sbin/sanlock from getattr access on Posix Compliant FS storage type | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Anush Shetty <ashetty> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.3 | CC: | cpelland, dwalsh, dyasny, ebenes, fsimonce, grajaiya, iheim, lpeer, mmalik, mtruneck, Rhev-m-bugs, syeghiay, vbellur, yeylon, ykaul | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | storage | |||
Fixed In Version: | selinux-policy-3.7.19-171.el6 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 877986 (view as bug list) | Environment: | ||
Last Closed: | 2013-02-21 08:28:43 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 877986 |
Description
Anush Shetty
2012-09-07 08:32:18 UTC
Please state which version of selinux policy you are using as well as sanlock RPM. Regardless, it's not a REHVM backend bug. # rpm -qa | grep sanlock sanlock-2.3-3.el6_3.x86_64 sanlock-lib-2.3-3.el6_3.x86_64 sanlock-python-2.3-3.el6_3.x86_64 # rpm -qa | grep selinux libselinux-2.0.94-5.3.el6.x86_64 libselinux-utils-2.0.94-5.3.el6.x86_64 selinux-policy-3.7.19-155.el6_3.noarch selinux-policy-targeted-3.7.19-155.el6_3.noarch libselinux-python-2.0.94-5.3.el6.x86_64 If you cut off the alert message we do not see the AVC's and can not diagnose the problem. Please attach the avc messages. type=AVC msg=audit(1350303946.329:19488): avc: denied { search } for pid=3147 comm="sanlock" name="mnt" dev=sda3 ino=22544387 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir type=AVC msg=audit(1350303946.329:19488): avc: denied { search } for pid=3147 comm="sanlock" name="/" dev=fuse ino=1 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir type=AVC msg=audit(1350303946.329:19488): avc: denied { read write } for pid=3147 comm="sanlock" name="leases" dev=fuse ino=10431266204161846275 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file type=AVC msg=audit(1350303946.329:19488): avc: denied { open } for pid=3147 comm="sanlock" name="leases" dev=fuse ino=10431266204161846275 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file type=SYSCALL msg=audit(1350303946.329:19488): arch=c000003e syscall=2 success=yes exit=10 a0=7f3490020578 a1=105002 a2=0 a3=0 items=0 ppid=1 pid=3147 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm="sanlock" exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1350303946.331:19489): avc: denied { getattr } for pid=3147 comm="sanlock" path="/rhev/data-center/mnt/rhs-client36.lab.eng.blr.redhat.com:_dist-replica/7746e77b-7475-4fb8-ab7f-fd85773c5762/dom_md/leases" dev=fuse ino=10431266204161846275 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file type=SYSCALL msg=audit(1350303946.331:19489): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7f34a0900590 a2=7f34a0900590 a3=0 items=0 ppid=1 pid=3147 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm="sanlock" exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) You seem to have a file system mounted at /mnt without labels "file_t". Have you tried to turn on sanlock_use_fusefs boolean? setsebool -P sanlock_use_fusefs 1 I know this boolean is in selinux-policy-3.7.19-171.el6 for RHEL6.4 Currently available on http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |