Bug 1022535 - Default context for GlusterFS /run sockets is wrong
Default context for GlusterFS /run sockets is wrong
Status: CLOSED CURRENTRELEASE
Product: GlusterFS
Classification: Community
Component: core (Show other bugs)
mainline
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: bugs@gluster.org
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-23 09:26 EDT by Michael Cronenworth
Modified: 2015-12-08 07:18 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-08 07:18:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Cronenworth 2013-10-23 09:26:09 EDT
Description of problem:
GlusterFS correctly sets its own context for its /run sockets, but the default SELinux policy does not apply the correct context.

After `systemctl start glusterd`:
srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/06a07b78154f984c50b209b37780c261.socket
srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/24e3f05817a37ea8e9cb4099a4f90199.socket
srwxr-xr-x. root root system_u:object_r:glusterd_var_run_t:s0 /run/df5a960a6952fe0b486451daf1dfc08c.socket

After `restorecon -Rv /run`:
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/06a07b78154f984c50b209b37780c261.socket
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/24e3f05817a37ea8e9cb4099a4f90199.socket
srwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/df5a960a6952fe0b486451daf1dfc08c.socket

The resulting context change causes dozens of SELinux denial messages to flood the system log.

Oct 23 08:22:07 balthasar setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file 24e3f05817a37ea8e9cb4099a4f90199.socket. For complete SELinux messages. run sealert -l 33823016-e4ca-47a1-a78c-9d521ff12904


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-74.10.fc19.noarch


How reproducible: Always


Steps to Reproduce:
1. Start glusterfs.
2. Run restorecon on /run
3. Watch /var/log/messages

Actual results: Context set incorrectly. SELinux denials.


Expected results: Context left alone. No SELinux denials.
Comment 1 Miroslav Grepl 2013-10-24 09:02:18 EDT
Lukas, 
please back port glusterd policy from F20/rawhide.
Comment 2 Lukas Vrabec 2013-10-24 10:26:56 EDT
back ported.
Comment 3 Fedora Update System 2013-11-08 04:07:36 EST
selinux-policy-3.12.1-74.12.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.12.fc19
Comment 4 Michael Cronenworth 2013-11-08 11:15:47 EST
This is not fixed.

$ sudo restorecon -Rv /run/*socket
restorecon reset /run/06a07b78154f984c50b209b37780c261.socket context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0
restorecon reset /run/24e3f05817a37ea8e9cb4099a4f90199.socket context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0
restorecon reset /run/df5a960a6952fe0b486451daf1dfc08c.socket context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0

$ rpm -qa | grep selinux-policy
selinux-policy-targeted-3.12.1-74.12.fc19.noarch
selinux-policy-doc-3.12.1-74.12.fc19.noarch
selinux-policy-devel-3.12.1-74.12.fc19.noarch
selinux-policy-3.12.1-74.12.fc19.noarch
Comment 5 Fedora Update System 2013-11-08 22:36:16 EST
Package selinux-policy-3.12.1-74.12.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.12.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20980/selinux-policy-3.12.1-74.12.fc19
then log in and leave karma (feedback).
Comment 6 Daniel Walsh 2013-11-11 12:21:47 EST
We need gluster to move this socket into its own subdirectory to make the labeling work.  Since the name of the socket is random, there is no way for us to tell the labeling system that this should be labeled gluster_var_run_t.

 /run/06a07b78154f984c50b209b37780c261.socket

The only thing would could do is say everything that ends in .socket in /run will be owned by gluster, which seems a little extreme.

If it used 

/run/gluster/06a07b78154f984c50b209b37780c261.socket

Then our job becomes easier.
Comment 7 Michael Cronenworth 2013-12-17 16:14:29 EST
Reassigning so this feature request is looked at.
Comment 9 Kaleb KEITHLEY 2015-12-08 07:18:19 EST
Gluster sockets are now in {,var}/run/gluster, restorecon sets the correct selinux context.

Note You need to log in before you can comment on or make changes to this bug.