Bug 912908
Summary: | SELinux is preventing /usr/sbin/glusterfsd (deleted) from read access on the directory /srv/media/Pictures | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael Cronenworth <mike> | ||||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | unspecified | Docs Contact: | |||||||||
Priority: | unspecified | ||||||||||
Version: | 18 | CC: | dominick.grift, dwalsh, joe, jonathansteffan, kkeithle, mgrepl, silas | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | x86_64 | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2013-03-14 03:03:30 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Michael Cronenworth
2013-02-20 00:53:23 UTC
Should glusterfd be able to read/write anywhere or is it usually just specific directories. If you changes the label on the /srv/media/Pictures to glusterd_var_lib_t it would be allowed to manage the directory. # semanage fcontext -a -t glusterd_var_lib_t '/srv/media/Pictures(/.*)?' # restorecon -R -v /srv/media/Pictures We could add a boolean like we have for samba samba_export_all_ro --> off samba_export_all_rw --> off Just added gluster_export_all_ro and gluster_export_all_rw booleans to rawhide. *** Bug 912910 has been marked as a duplicate of this bug. *** *** Bug 912913 has been marked as a duplicate of this bug. *** (In reply to comment #1) > Should glusterfd be able to read/write anywhere or is it usually just > specific directories. glusterfsd should be able to read/write its brick(s), i.e. the backing volumes that constitute gluster volume(s). Also /var/lib/glusterd/* and /var/log/glusterfs/* In this case it is trying to use /srv/media/Pictures? Can the Bricks be stored anywhere? Is there a command set to create bricks? Should we label bricks or just let glusterfs write anywhere. Daniel, I have two bricks on the machine that has generated SELinux messages. Brick 1: /srv/media Brick 2: /home/michael The /srv/media/Pictures directory is a sub-directory in /srv/media and not a brick on its own. AFAIK, you can make any directory a brick. The reason for this sudden influx of messages is due to the addition of the .glusterfs directory in GlusterFS 3.3 (F18). Fedora 17 had GlusterFS 3.2 so I didn't see these messages then. http://joejulian.name/blog/what-is-this-new-glusterfs-directory-in-33/ I guess without a fixed directory that most people define bricks in, then we need to allow glusterfsd to write anywhere it wants, pretty much unconfined. (In reply to comment #8) > I guess without a fixed directory that most people define bricks in, then we > need to allow glusterfsd to write anywhere it wants, pretty much unconfined. Yes, as with NFS (server), the backing volumes that are exported can be pretty much anywhere in the file system. Miroslav back port policy from Rawhide, which should fix this issue. Should be backported in the latest policy. commit 468a01306df82869b679bba33de6857f9e68feec Author: Dan Walsh <dwalsh> Date: Fri Feb 22 15:10:44 2013 +0100 Allow glusterd to read/write anyhwere on the file system by default Created attachment 704497 [details]
-82 messages
Not quite fixed. I loaded selinux-policy-3.11.1-82.fc18 and I still see the attached SELinux messages.
I apologize, there was a merge issue. commit 05de711f9783ef471ea64ac1eb636ff29ee39ef2 Author: Miroslav Grepl <mgrepl> Date: Mon Mar 4 12:28:09 2013 +0100 Add mising rules for gluster boolean selinux-policy-3.11.1-83.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-83.fc18 Package selinux-policy-3.11.1-83.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-83.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-3398/selinux-policy-3.11.1-83.fc18 then log in and leave karma (feedback). Created attachment 705246 [details]
gluster -83 messages
Better, but now I'm seeing new messages with -83. Attached.
The home directory messages are when I attempted to create a directory in my home folder. The GPG socket access is not something I performed. It must be glusterd's automatic process.
Created attachment 705265 [details]
gluster -83 messages part 2
I have seen two more, new messages. Both were seen when I attempted to move a directory's contents and then delete the directory after it was empty.
f47f601e3fb8a94dc7475ef3bd9ff5016c44e55f fixes this in Rawhide. Has been backported. selinux-policy-3.11.1-84.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-84.fc18 Package selinux-policy-3.11.1-84.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-84.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-3605/selinux-policy-3.11.1-84.fc18 then log in and leave karma (feedback). selinux-policy-3.11.1-85.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |