Description of problem:
As root, I mounted a gluster partition (mount -t glusterfs localhost:/vol) and tried to create a FIFO (mkfifo fifo). I'm not expecting it to succeed, but gluster should be clamping down on the attempt earlier on without relying on an AVC from SELinux as the last resort.
SELinux is preventing /usr/sbin/glusterfsd from 'create' accesses on the fifo_file fifo.
***** Plugin file (47.5 confidence) suggests *******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin file (47.5 confidence) suggests *******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin catchall (6.38 confidence) suggests ***************************
If you believe that glusterfsd should be allowed create access on the fifo fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep glusterfsd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:glusterd_t:s0
Target Context system_u:object_r:file_t:s0
Target Objects fifo [ fifo_file ]
Source glusterfsd
Source Path /usr/sbin/glusterfsd
Port <Unknown>
Host (removed)
Source RPM Packages glusterfs-3.4.1-1.fc19.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-74.13.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.7-200.fc19.x86_64 #1 SMP Thu
Aug 15 23:19:45 UTC 2013 x86_64 x86_64
Alert Count 2
First Seen 2013-11-25 13:36:35 MST
Last Seen 2013-11-25 13:37:32 MST
Local ID 304adb6b-7fbb-4405-9293-f5ac8737a632
Raw Audit Messages
type=AVC msg=audit(1385411852.9:5292): avc: denied { create } for pid=32419 comm="glusterfsd" name="fifo" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1385411852.9:5292): arch=x86_64 syscall=mknod success=no exit=EACCES a0=7f3d060a6b10 a1=11a4 a2=0 a3=2 items=0 ppid=1 pid=32419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=glusterfsd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null)
Hash: glusterfsd,glusterd_t,file_t,fifo_file,create
Additional info:
reporter: libreport-2.1.9
hashmarkername: setroubleshoot
kernel: 3.10.7-200.fc19.x86_64
type: libreport
Assigning to gluster, as I think SELinux was right to prevent this, but gluster shouldn't be causing an AVC in the first place (how is a FIFO supposed to work in a distributed file system?).
GlusterFS 3.7.0 has been released (http://www.gluster.org/pipermail/gluster-users/2015-May/021901.html), and the Gluster project maintains N-2 supported releases. The last two releases before 3.7 are still maintained, at the moment these are 3.6 and 3.5.
This bug has been filed against the 3,4 release, and will not get fixed in a 3.4 version any more. Please verify if newer versions are affected with the reported problem. If that is the case, update the bug with a note, and update the version if you can. In case updating the version is not possible, leave a comment in this bug report with the version you tested, and set the "Need additional information the selected bugs from" below the comment box to "bugs".
If there is no response by the end of the month, this bug will get automatically closed.
Description of problem: As root, I mounted a gluster partition (mount -t glusterfs localhost:/vol) and tried to create a FIFO (mkfifo fifo). I'm not expecting it to succeed, but gluster should be clamping down on the attempt earlier on without relying on an AVC from SELinux as the last resort. SELinux is preventing /usr/sbin/glusterfsd from 'create' accesses on the fifo_file fifo. ***** Plugin file (47.5 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin file (47.5 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin catchall (6.38 confidence) suggests *************************** If you believe that glusterfsd should be allowed create access on the fifo fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep glusterfsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:glusterd_t:s0 Target Context system_u:object_r:file_t:s0 Target Objects fifo [ fifo_file ] Source glusterfsd Source Path /usr/sbin/glusterfsd Port <Unknown> Host (removed) Source RPM Packages glusterfs-3.4.1-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.13.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.7-200.fc19.x86_64 #1 SMP Thu Aug 15 23:19:45 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-11-25 13:36:35 MST Last Seen 2013-11-25 13:37:32 MST Local ID 304adb6b-7fbb-4405-9293-f5ac8737a632 Raw Audit Messages type=AVC msg=audit(1385411852.9:5292): avc: denied { create } for pid=32419 comm="glusterfsd" name="fifo" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1385411852.9:5292): arch=x86_64 syscall=mknod success=no exit=EACCES a0=7f3d060a6b10 a1=11a4 a2=0 a3=2 items=0 ppid=1 pid=32419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=glusterfsd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) Hash: glusterfsd,glusterd_t,file_t,fifo_file,create Additional info: reporter: libreport-2.1.9 hashmarkername: setroubleshoot kernel: 3.10.7-200.fc19.x86_64 type: libreport