1002682 – SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file

Bug 1002682 - SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file

Summary: SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-29 17:29 UTC by Michael Cronenworth
Modified:	2013-09-23 00:42 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.11.1-103.fc18
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-09-23 00:42:55 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Michael Cronenworth 2013-08-29 17:29:53 UTC

SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file 24e3f05817a37ea8e9cb4099a4f90199.socket.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that glusterfsd should be allowed write access on the 24e3f05817a37ea8e9cb4099a4f90199.socket sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep glusterd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:glusterd_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                24e3f05817a37ea8e9cb4099a4f90199.socket [
                              sock_file ]
Source                        glusterd
Source Path                   /usr/sbin/glusterfsd
Port                          <Unknown>
Host                          balthasar.cchtml.com
Source RPM Packages           glusterfs-3.4.0-8.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-100.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     balthasar.cchtml.com
Platform                      Linux balthasar.cchtml.com 3.10.7-100.fc18.x86_64
                              #1 SMP Thu Aug 15 22:21:29 UTC 2013 x86_64 x86_64
Alert Count                   3781
First Seen                    2013-08-21 22:03:05 CDT
Last Seen                     2013-08-29 12:16:22 CDT
Local ID                      1c3cb355-1e5b-4420-81c8-23d8c242c588

Raw Audit Messages
type=AVC msg=audit(1377796582.587:23564): avc:  denied  { write } for  pid=1532 comm="glusterd" name="24e3f05817a37ea8e9cb4099a4f90199.socket" dev="tmpfs" ino=89570 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1377796582.587:23564): arch=x86_64 syscall=connect success=no exit=ECONNREFUSED a0=4 a1=7f9cdc014b60 a2=6e a3=7f9ce8eb00f0 items=0 ppid=1 pid=1532 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null)

Hash: glusterd,glusterd_t,var_run_t,sock_file,write

audit2allow

#============= glusterd_t ==============
allow glusterd_t var_run_t:sock_file write;

audit2allow -R
require {
	type var_run_t;
	type glusterd_t;
	class sock_file write;
}

#============= glusterd_t ==============
allow glusterd_t var_run_t:sock_file write;

Comment 1 Lukas Vrabec 2013-08-30 12:26:27 UTC

Hi Michael, 

Could you try: "restorecon -R /var/run/glusterd"

Please let me know if the problem still persist.

Comment 2 Michael Cronenworth 2013-08-30 13:16:08 UTC

Hi Lukas,

I do not have a directory "/var/run/glusterd".

$ ls -ld /var/run/glusterd
ls: cannot access /var/run/glusterd: No such file or directory
$ ls -lZ /run/gluster*
-rw-r--r--. root root system_u:object_r:glusterd_var_run_t:s0 /run/glusterd.pid

Comment 3 Daniel Walsh 2013-08-30 14:45:08 UTC

find /run -name 24e3f05817a37ea8e9cb4099a4f90199.socket

Comment 4 Michael Cronenworth 2013-08-30 14:48:21 UTC

$ find /run -name 24e3f05817a37ea8e9cb4099a4f90199.socket
/run/24e3f05817a37ea8e9cb4099a4f90199.socket
$ ls -lZ /run/24e3f05817a37ea8e9cb4099a4f90199.socket 
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/24e3f05817a37ea8e9cb4099a4f90199.socket
$ sudo restorecon -Rv /run/24e3f05817a37ea8e9cb4099a4f90199.socket 
[sudo] password for michael:
$ ls -lZ /run/24e3f05817a37ea8e9cb4099a4f90199.socket 
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/24e3f05817a37ea8e9cb4099a4f90199.socket

Comment 5 Daniel Walsh 2013-08-30 14:55:12 UTC

Any idea what process or process label creates this socket?

ps -eZ | grep initrc_t

Comment 6 Michael Cronenworth 2013-08-30 15:24:24 UTC

I would imagine the glusterfs daemon creates the socket. It creates 3 socket files, but I am only seeing AVCs for the one socket described in this bug.

$ ps -ef | grep gluster
root      1369     1  0 Aug21 ?        00:00:56 /usr/sbin/glusterd -p /run/glusterd.pid
root      1535     1  0 Aug21 ?        00:00:18 /usr/sbin/glusterfsd -s 10.0.0.1 --volfile-id michael.10.0.0.1.home-michael -p /var/lib/glusterd/vols/michael/run/10.0.0.1-home-michael.pid -S /var/run/df5a960a6952fe0b486451daf1dfc08c.socket --brick-name /home/michael -l /var/log/glusterfs/bricks/home-michael.log --xlator-option *-posix.glusterd-uuid=2b4d1425-3ed9-427a-b9fa-5d1524b0c305 --brick-port 49154 --xlator-option michael-server.listen-port=49154
root      1540     1  0 Aug21 ?        00:02:49 /usr/sbin/glusterfsd -s 10.0.0.1 --volfile-id media.10.0.0.1.srv-media -p /var/lib/glusterd/vols/media/run/10.0.0.1-srv-media.pid -S /var/run/06a07b78154f984c50b209b37780c261.socket --brick-name /srv/media -l /var/log/glusterfs/bricks/srv-media.log --xlator-option *-posix.glusterd-uuid=2b4d1425-3ed9-427a-b9fa-5d1524b0c305 --brick-port 49153 --xlator-option media-server.listen-port=49153

$ ls -lZ /run/*.socket 
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/06a07b78154f984c50b209b37780c261.socket
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/24e3f05817a37ea8e9cb4099a4f90199.socket
srw-rw-rw-. root root system_u:object_r:apmd_var_run_t:s0 /run/acpid.socket
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/df5a960a6952fe0b486451daf1dfc08c.socket

$ ps -eZ | grep initrc_t
system_u:system_r:initrc_t:s0     671 ?        00:03:15 inadyn
system_u:system_r:initrc_t:s0    1294 ?        00:00:17 upnpd
system_u:system_r:initrc_t:s0    1308 ?        04:22:45 deluged
system_u:system_r:initrc_t:s0    1311 ?        00:05:08 deluge
system_u:system_r:initrc_t:s0    1405 ?        00:00:03 mediatomb
system_u:system_r:initrc_t:s0    1755 ?        00:03:23 dmapd

Comment 7 Daniel Walsh 2013-08-30 15:30:15 UTC

What is strange is if these are created by glusterd then they were mislabeled and SELinux would have been blocking that at creation.  Did you run in permissive mode for a while?

I have added allow rules to allow glusterd to create sock files in /run directory.

cca5e33b15b73c0380f65dc86fe9fb377b7b9322 fixes this in git.

Comment 8 Michael Cronenworth 2013-08-31 03:03:20 UTC

I have not enabled permissive mode. The socket files were created under Enforcing. Once an updated policy package is available I'll test it.

Comment 9 Miroslav Grepl 2013-09-03 09:33:45 UTC

Back ported.

Comment 10 Fedora Update System 2013-09-10 11:16:15 UTC

selinux-policy-3.11.1-103.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-103.fc18

Comment 11 Fedora Update System 2013-09-11 01:56:56 UTC

Package selinux-policy-3.11.1-103.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-103.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16344/selinux-policy-3.11.1-103.fc18
then log in and leave karma (feedback).

Comment 12 Michael Cronenworth 2013-09-11 13:51:12 UTC

I believe this bug is fixed, but three new denials popped up after the update. Opened bug 1006919.

Comment 13 Michael Cronenworth 2013-09-11 14:00:55 UTC

This bug is not fully fixed. If I start the service and do not touch anything the original report about write access on sock_file never appears.

If I run restorecon on /run/ then the socket file context is changed and after a few minutes I get the same denial report that I reported here.

Comment 14 Fedora Update System 2013-09-23 00:42:55 UTC

selinux-policy-3.11.1-103.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.