Bug 1006919 - Multiple denials on GlusterFS service startup
Summary: Multiple denials on GlusterFS service startup
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-11 13:50 UTC by Michael Cronenworth
Modified: 2013-10-04 14:22 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-04 14:22:56 UTC
Type: Bug

Attachments (Terms of Use)
gluster sealert messages (1.85 KB, application/x-xz)
2013-09-11 13:50 UTC, Michael Cronenworth 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Michael Cronenworth 2013-09-11 13:50:54 UTC 
Created attachment 796385 [details]
gluster sealert messages

Description of problem:
# systemctl start glusterd
/var/log/messages:
Sep 11 08:35:27 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from unlink access on the sock_file 24e3f05817a37ea8e9cb4099a4f90199.socket. For complete SELinux messages. run sealert -l 07f482f6-dd21-434e-a4a4-13cd8743b1d3
Sep 11 08:35:27 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from search access on the directory net. For complete SELinux messages. run sealert -l 954dad5a-a478-4ebd-8f02-3d80cdc3ab69
Sep 11 08:35:31 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from read access on the file unix. For complete SELinux messages. run sealert -l 47717e3b-166e-4645-b534-e84a3de5d120


Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-103.fc18.noarch
glusterfs-3.4.0-8.fc18.x86_64


Additional info:
For the first denial about unlink access, I notice the socket file is created with one SELinux context, and restorecon wants to change it to a different context:
After service start:
$ ls -lZ /run/24e3f05817a37ea8e9cb4099a4f90199.socket 
srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/24e3f05817a37ea8e9cb4099a4f90199.socket
After restorecon:
$ ls -lZ /run/24e3f05817a37ea8e9cb4099a4f90199.socket 
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/24e3f05817a37ea8e9cb4099a4f90199.socket

Restarting the service does not resolve the issue. The socket file is recreated with the glusterd_var_run_t context.

Attaching sealert output of all denials.
Comment 1 Miroslav Grepl 2013-09-30 12:38:45 UTC 
Could you please attach raw AVC msgs?

# ausearch -m avc
Comment 2 Michael Cronenworth 2013-09-30 16:39:44 UTC 
I cannot now. Since creating the bug I have upgraded the system to Fedora 19. There are no SELinux alerts now.

$ ls -lZ /run/*socket
srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/06a07b78154f984c50b209b37780c261.socket
srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/24e3f05817a37ea8e9cb4099a4f90199.socket
srw-rw-rw-. root root system_u:object_r:apmd_var_run_t:s0 /run/acpid.socket
srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/df5a960a6952fe0b486451daf1dfc08c.socket

It appears the F18 policy doesn't have the same gluster context information as the F19 policy.
Note You need to log in before you can comment on or make changes to this bug.