Red Hat Bugzilla – Bug 1015819
SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_socket
Last modified: 2015-12-01 11:45:32 EST
After the latest selinux-policy I cannot start glusterd. Attempting to start the service results in an infinite loop that fills the server logs with denials. I have to kill glusterd in order to prevent the hard disk from filling up. GlusterFS is a Red Hat technology. SELinux is a Red Hat technology. It's obvious no one at Red Hat is running with SELinux enabled. Please get your GlusterFS team on the same page. /var/log/messages: Oct 5 15:29:23 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l b25d7d98-c628-44d2-899d-c22b3bd3fe67 [michael@balthasar ~]$ sudo sealert -l b25d7d98-c628-44d2-899d-c22b3bd3fe67 SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_socket . ***** Plugin bind_ports (92.2 confidence) suggests ************************* If you want to allow /usr/sbin/glusterfsd to bind to network port 1957 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 1957 where PORT_TYPE is one of the following: agentx_port_t, apertus_ldp_port_t, audit_port_t, auth_port_t, bgp_port_t, chronyd_port_t, comsat_port_t, dhcpc_port_t, dhcpd_port_t, dns_port_t, echo_port_t, efs_port_t, epmap_port_t, fingerd_port_t, flash_port_t, ftp_data_port_t, ftp_port_t, gluster_port_t, gopher_port_t, hi_reserved_port_t, http_port_t, inetd_child_port_t, innd_port_t, ipmi_port_t, ipp_port_t, isakmp_port_t, kerberos_admin_port_t, kerberos_password_port_t, kerberos_port_t, kprop_port_t, ktalkd_port_t, ldap_port_t, lmtp_port_t, mountd_port_t, nfs_port_t, nmbd_port_t, ntp_port_t, openshift_port_t, pop_port_t, portmap_port_t, printer_port_t, reserved_port_t, rlogin_port_t, rlogind_port_t, rndc_port_t, router_port_t, rsh_port_t, rsync_port_t, rtsp_port_t, rwho_port_t, smbd_port_t, smtp_port_t, snmp_port_t, spamd_port_t, ssh_port_t, svrloc_port_t, swat_port_t, syslogd_port_t, telnetd_port_t, tftp_port_t, time_port_t, uucpd_port_t, whois_port_t, xdmcp_port_t, zarafa_port_t. ***** Plugin catchall_boolean (7.83 confidence) suggests ******************* If you want to allow system to run with NIS Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.41 confidence) suggests *************************** If you believe that glusterfsd should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep glusterd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:glusterd_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects [ tcp_socket ] Source glusterd Source Path /usr/sbin/glusterfsd Port 1957 Host balthasar.cchtml.com Source RPM Packages glusterfs-3.4.0-8.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.8.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name balthasar.cchtml.com Platform Linux balthasar.cchtml.com 3.11.2-201.fc19.x86_64 #1 SMP Fri Sep 27 19:20:55 UTC 2013 x86_64 x86_64 Alert Count 340 First Seen 2013-09-30 11:38:10 CDT Last Seen 2013-10-05 14:22:58 CDT Local ID b25d7d98-c628-44d2-899d-c22b3bd3fe67 Raw Audit Messages type=AVC msg=audit(1381000978.786:999): avc: denied { name_bind } for pid=1368 comm="glusterd" src=1957 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1381000978.786:999): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7f69d6543960 a2=10 a3=1 items=0 ppid=1 pid=1368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) Hash: glusterd,glusterd_t,unreserved_port_t,tcp_socket,name_bind
Is port 1957 a standard port for gluster?
Glusterd and glusterfsd use random ports for local and loopback communication. Port 1957 just happened to be the random port used on this startup attempt.
0f57b3320fff2b8f37d79610178ec27ada2ae3ac fixes this in git.
back ported to f19.
This issue was resolved with selinux-policy-3.12.1-74.9.fc19. Thanks. With the component change I'm not sure if you want to close this bug now or not. I'll leave it up to you.