Bug 1015819 - SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_socket
SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_s...
Status: CLOSED CURRENTRELEASE
Product: GlusterFS
Classification: Community
Component: core (Show other bugs)
3.4.0
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Ric Wheeler
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-05 16:36 EDT by Michael Cronenworth
Modified: 2015-12-01 11:45 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-07-11 15:15:53 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Cronenworth 2013-10-05 16:36:42 EDT
After the latest selinux-policy I cannot start glusterd.

Attempting to start the service results in an infinite loop that fills the server logs with denials. I have to kill glusterd in order to prevent the hard disk from filling up.

GlusterFS is a Red Hat technology. SELinux is a Red Hat technology. It's obvious no one at Red Hat is running with SELinux enabled. Please get your GlusterFS team on the same page.

/var/log/messages:
Oct  5 15:29:23 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l b25d7d98-c628-44d2-899d-c22b3bd3fe67

[michael@balthasar ~]$ sudo sealert -l b25d7d98-c628-44d2-899d-c22b3bd3fe67
SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_socket .

*****  Plugin bind_ports (92.2 confidence) suggests  *************************

If you want to allow /usr/sbin/glusterfsd to bind to network port 1957
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 1957
    where PORT_TYPE is one of the following: agentx_port_t, apertus_ldp_port_t, audit_port_t, auth_port_t, bgp_port_t, chronyd_port_t, comsat_port_t, dhcpc_port_t, dhcpd_port_t, dns_port_t, echo_port_t, efs_port_t, epmap_port_t, fingerd_port_t, flash_port_t, ftp_data_port_t, ftp_port_t, gluster_port_t, gopher_port_t, hi_reserved_port_t, http_port_t, inetd_child_port_t, innd_port_t, ipmi_port_t, ipp_port_t, isakmp_port_t, kerberos_admin_port_t, kerberos_password_port_t, kerberos_port_t, kprop_port_t, ktalkd_port_t, ldap_port_t, lmtp_port_t, mountd_port_t, nfs_port_t, nmbd_port_t, ntp_port_t, openshift_port_t, pop_port_t, portmap_port_t, printer_port_t, reserved_port_t, rlogin_port_t, rlogind_port_t, rndc_port_t, router_port_t, rsh_port_t, rsync_port_t, rtsp_port_t, rwho_port_t, smbd_port_t, smtp_port_t, snmp_port_t, spamd_port_t, ssh_port_t, svrloc_port_t, swat_port_t, syslogd_port_t, telnetd_port_t, tftp_port_t, time_port_t, uucpd_port_t, whois_port_t, xdmcp_port_t, zarafa_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests  ***************************

If you believe that glusterfsd should be allowed name_bind access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep glusterd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:glusterd_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        glusterd
Source Path                   /usr/sbin/glusterfsd
Port                          1957
Host                          balthasar.cchtml.com
Source RPM Packages           glusterfs-3.4.0-8.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.8.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     balthasar.cchtml.com
Platform                      Linux balthasar.cchtml.com 3.11.2-201.fc19.x86_64
                              #1 SMP Fri Sep 27 19:20:55 UTC 2013 x86_64 x86_64
Alert Count                   340
First Seen                    2013-09-30 11:38:10 CDT
Last Seen                     2013-10-05 14:22:58 CDT
Local ID                      b25d7d98-c628-44d2-899d-c22b3bd3fe67

Raw Audit Messages
type=AVC msg=audit(1381000978.786:999): avc:  denied  { name_bind } for  pid=1368 comm="glusterd" src=1957 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1381000978.786:999): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7f69d6543960 a2=10 a3=1 items=0 ppid=1 pid=1368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null)

Hash: glusterd,glusterd_t,unreserved_port_t,tcp_socket,name_bind
Comment 1 Daniel Walsh 2013-10-07 09:35:19 EDT
Is port 1957 a standard port for gluster?
Comment 2 Michael Cronenworth 2013-10-07 10:36:22 EDT
Glusterd and glusterfsd use random ports for local and loopback communication. Port 1957 just happened to be the random port used on this startup attempt.
Comment 3 Daniel Walsh 2013-10-07 12:07:26 EDT
0f57b3320fff2b8f37d79610178ec27ada2ae3ac fixes this in git.
Comment 4 Lukas Vrabec 2013-10-08 06:45:05 EDT
back ported to f19.
Comment 5 Michael Cronenworth 2013-10-15 22:40:52 EDT
This issue was resolved with selinux-policy-3.12.1-74.9.fc19. Thanks.

With the component change I'm not sure if you want to close this bug now or not. I'll leave it up to you.

Note You need to log in before you can comment on or make changes to this bug.