Bug 912908

Summary: SELinux is preventing /usr/sbin/glusterfsd (deleted) from read access on the directory /srv/media/Pictures
Product: [Fedora] Fedora Reporter: Michael Cronenworth <mike>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, joe, jonathansteffan, kkeithle, mgrepl, silas
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-14 03:03:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
-82 messages
none
gluster -83 messages
none
gluster -83 messages part 2 none

Description Michael Cronenworth 2013-02-20 00:53:23 UTC 
Description of problem:
SELinux is preventing /usr/sbin/glusterfsd (deleted) from read access on the directory /srv/media/Pictures.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that glusterfsd (deleted) should be allowed read access on the Pictures directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep glusterfsd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:glusterd_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                /srv/media/Pictures [ dir ]
Source                        glusterfsd
Source Path                   /usr/sbin/glusterfsd (deleted)
Port                          <Unknown>
Host                          balthasar.cchtml.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-79.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     balthasar.cchtml.com
Platform                      Linux balthasar.cchtml.com 3.7.7-201.fc18.x86_64
                              #1 SMP Tue Feb 12 22:35:01 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-02-19 18:44:47 CST
Last Seen                     2013-02-19 18:45:34 CST
Local ID                      c6b19c94-bb40-44ff-bec3-f9a463347f79

Raw Audit Messages
type=AVC msg=audit(1361321134.553:14804): avc:  denied  { read } for  pid=2766 comm="glusterfsd" name="Pictures" dev="dm-1" ino=78315521 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir


type=SYSCALL msg=audit(1361321134.553:14804): arch=x86_64 syscall=openat success=yes exit=ENOTBLK a0=ffffffffffffff9c a1=7ffd0dad9c80 a2=90800 a3=0 items=0 ppid=1 pid=2766 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=glusterfsd exe=2F7573722F7362696E2F676C7573746572667364202864656C6574656429 subj=system_u:system_r:glusterd_t:s0 key=(null)

Hash: glusterfsd,glusterd_t,var_t,dir,read

audit2allow

#============= glusterd_t ==============
allow glusterd_t var_t:dir read;

audit2allow -R

#============= glusterd_t ==============
allow glusterd_t var_t:dir read;


Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-79.fc18.noarch


Steps to Reproduce:
1. Attempt to view folders in a glusterfs directory.

  
Actual results: I can view files and folders, but I receive SELinux messages.


Expected results: No SELinux messages.


Additional info: These messages are brand new. They showed up after the fix for bug 911975.
Comment 1 Daniel Walsh 2013-02-20 10:19:00 UTC 
Should glusterfd be able to read/write anywhere or is it usually just specific directories.

If you changes the label on the /srv/media/Pictures to glusterd_var_lib_t it would be allowed to manage the directory.

# semanage fcontext -a -t glusterd_var_lib_t '/srv/media/Pictures(/.*)?'
# restorecon -R -v /srv/media/Pictures

We could add a boolean like we have for samba

samba_export_all_ro --> off
samba_export_all_rw --> off
Comment 2 Daniel Walsh 2013-02-20 10:25:04 UTC 
Just added 

gluster_export_all_ro and gluster_export_all_rw booleans to rawhide.
Comment 3 Daniel Walsh 2013-02-20 10:27:57 UTC 
*** Bug 912910 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2013-02-20 10:29:25 UTC 
*** Bug 912913 has been marked as a duplicate of this bug. ***
Comment 5 Kaleb KEITHLEY 2013-02-20 14:25:37 UTC 
(In reply to comment #1)
> Should glusterfd be able to read/write anywhere or is it usually just
> specific directories.

glusterfsd should be able to read/write its brick(s), i.e. the backing volumes that constitute gluster volume(s).

Also /var/lib/glusterd/* and /var/log/glusterfs/*
Comment 6 Daniel Walsh 2013-02-22 13:19:45 UTC 
In this case it is trying to use /srv/media/Pictures?

Can the Bricks be stored anywhere?

Is there a command set to create bricks?  Should we label bricks or just let glusterfs write anywhere.
Comment 7 Michael Cronenworth 2013-02-22 13:29:41 UTC 
Daniel,

I have two bricks on the machine that has generated SELinux messages.

Brick 1: /srv/media
Brick 2: /home/michael

The /srv/media/Pictures directory is a sub-directory in /srv/media and not a brick on its own. AFAIK, you can make any directory a brick.

The reason for this sudden influx of messages is due to the addition of the .glusterfs directory in GlusterFS 3.3 (F18). Fedora 17 had GlusterFS 3.2 so I didn't see these messages then.

http://joejulian.name/blog/what-is-this-new-glusterfs-directory-in-33/
Comment 8 Daniel Walsh 2013-02-22 14:09:43 UTC 
I guess without a fixed directory that most people define bricks in, then we need to allow glusterfsd to write anywhere it wants, pretty much unconfined.
Comment 9 Kaleb KEITHLEY 2013-02-24 09:27:37 UTC 
(In reply to comment #8)
> I guess without a fixed directory that most people define bricks in, then we
> need to allow glusterfsd to write anywhere it wants, pretty much unconfined.

Yes, as with NFS (server), the backing volumes that are exported can be pretty much anywhere in the file system.
Comment 10 Daniel Walsh 2013-02-28 16:35:23 UTC 
Miroslav back port policy from Rawhide, which should fix this issue.
Comment 11 Miroslav Grepl 2013-03-01 14:03:14 UTC 
Should be backported in the latest policy.

commit 468a01306df82869b679bba33de6857f9e68feec
Author: Dan Walsh <dwalsh>
Date:   Fri Feb 22 15:10:44 2013 +0100

    Allow glusterd to read/write anyhwere on the file system by default
Comment 12 Michael Cronenworth 2013-03-02 17:56:16 UTC 
Created attachment 704497 [details]
-82 messages

Not quite fixed. I loaded selinux-policy-3.11.1-82.fc18 and I still see the attached SELinux messages.
Comment 13 Miroslav Grepl 2013-03-04 11:29:38 UTC 
I apologize, there was a merge issue.

commit 05de711f9783ef471ea64ac1eb636ff29ee39ef2
Author: Miroslav Grepl <mgrepl>
Date:   Mon Mar 4 12:28:09 2013 +0100

    Add mising rules for gluster boolean
Comment 14 Fedora Update System 2013-03-04 12:11:20 UTC 
selinux-policy-3.11.1-83.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-83.fc18
Comment 15 Fedora Update System 2013-03-04 22:34:01 UTC 
Package selinux-policy-3.11.1-83.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-83.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3398/selinux-policy-3.11.1-83.fc18
then log in and leave karma (feedback).
Comment 16 Michael Cronenworth 2013-03-05 00:40:36 UTC 
Created attachment 705246 [details]
gluster -83 messages

Better, but now I'm seeing new messages with -83. Attached.

The home directory messages are when I attempted to create a directory in my home folder. The GPG socket access is not something I performed. It must be glusterd's automatic process.
Comment 17 Michael Cronenworth 2013-03-05 03:08:23 UTC 
Created attachment 705265 [details]
gluster -83 messages part 2

I have seen two more, new messages. Both were seen when I attempted to move a directory's contents and then delete the directory after it was empty.
Comment 18 Daniel Walsh 2013-03-05 19:30:21 UTC 
f47f601e3fb8a94dc7475ef3bd9ff5016c44e55f fixes this in Rawhide.
Comment 19 Miroslav Grepl 2013-03-07 09:35:10 UTC 
Has been backported.
Comment 20 Fedora Update System 2013-03-08 16:12:18 UTC 
selinux-policy-3.11.1-84.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-84.fc18
Comment 21 Fedora Update System 2013-03-08 23:59:46 UTC 
Package selinux-policy-3.11.1-84.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-84.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3605/selinux-policy-3.11.1-84.fc18
then log in and leave karma (feedback).
Comment 22 Fedora Update System 2013-03-14 03:03:32 UTC 
selinux-policy-3.11.1-85.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.