Description of problem: GlusterFS correctly sets its own context for its /run sockets, but the default SELinux policy does not apply the correct context. After `systemctl start glusterd`: srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/06a07b78154f984c50b209b37780c261.socket srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/24e3f05817a37ea8e9cb4099a4f90199.socket srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/df5a960a6952fe0b486451daf1dfc08c.socket After `restorecon -Rv /run`: srwxr-xr-x. root root system_u:object_r:var_run_t:s0 /run/06a07b78154f984c50b209b37780c261.socket srwxr-xr-x. root root system_u:object_r:var_run_t:s0 /run/24e3f05817a37ea8e9cb4099a4f90199.socket srwxr-xr-x. root root system_u:object_r:var_run_t:s0 /run/df5a960a6952fe0b486451daf1dfc08c.socket The resulting context change causes dozens of SELinux denial messages to flood the system log. Oct 23 08:22:07 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file 24e3f05817a37ea8e9cb4099a4f90199.socket. For complete SELinux messages. run sealert -l 33823016-e4ca-47a1-a78c-9d521ff12904 Version-Release number of selected component (if applicable): selinux-policy-3.12.1-74.10.fc19.noarch How reproducible: Always Steps to Reproduce: 1. Start glusterfs. 2. Run restorecon on /run 3. Watch /var/log/messages Actual results: Context set incorrectly. SELinux denials. Expected results: Context left alone. No SELinux denials.
Lukas, please back port glusterd policy from F20/rawhide.
back ported.
selinux-policy-3.12.1-74.12.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.12.fc19
This is not fixed. $ sudo restorecon -Rv /run/*socket restorecon reset /run/06a07b78154f984c50b209b37780c261.socket context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0 restorecon reset /run/24e3f05817a37ea8e9cb4099a4f90199.socket context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0 restorecon reset /run/df5a960a6952fe0b486451daf1dfc08c.socket context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0 $ rpm -qa | grep selinux-policy selinux-policy-targeted-3.12.1-74.12.fc19.noarch selinux-policy-doc-3.12.1-74.12.fc19.noarch selinux-policy-devel-3.12.1-74.12.fc19.noarch selinux-policy-3.12.1-74.12.fc19.noarch
Package selinux-policy-3.12.1-74.12.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.12.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-20980/selinux-policy-3.12.1-74.12.fc19 then log in and leave karma (feedback).
We need gluster to move this socket into its own subdirectory to make the labeling work. Since the name of the socket is random, there is no way for us to tell the labeling system that this should be labeled gluster_var_run_t. /run/06a07b78154f984c50b209b37780c261.socket The only thing would could do is say everything that ends in .socket in /run will be owned by gluster, which seems a little extreme. If it used /run/gluster/06a07b78154f984c50b209b37780c261.socket Then our job becomes easier.
Reassigning so this feature request is looked at.
Gluster sockets are now in {,var}/run/gluster, restorecon sets the correct selinux context.