1162125 – glusterd can't create /var/run/glusterd.socket when SELinux is in enforcing mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1162125 - glusterd can't create /var/run/glusterd.socket when SELinux is in enforcing mode

Summary: glusterd can't create /var/run/glusterd.socket when SELinux is in enforcing mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	pre-dev-freeze
Target Release:	7.2
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-10 10:34 UTC by Nils Breunese
Modified:	2015-03-05 10:46 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.13.1-14.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:46:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0458	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-03-05 15:17:00 UTC

Description Nils Breunese 2014-11-10 10:34:36 UTC

Description of problem:

After installing the glusterfs-server RPM packages via yum on EL7 with SELinux in enforcing mode glusterd tries to start, but fails. Changing the SELinux for /var/run/glusterd.socket to glusterd_var_run_t fixes this.

Version-Release number of selected component (if applicable):

3.6.1-1.el7.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. Enable SELinux in enforcing mode on EL7
2. Intall glusterfs-server

Actual results:

glusterd fails to start and setroubleshoot e-mails the following information (we have it set up to do so):

----
SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that glusterfsd should be allowed write access on the  sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep glusterd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:glusterd_t:s0
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                 [ sock_file ]
Source                        glusterd
Source Path                   /usr/sbin/glusterfsd
Port                          <Unknown>
Host                          <hostname>
Source RPM Packages           glusterfs-3.5.2-1.el7.x86_64
                             glusterfs-3.6.1-1.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-153.el7_0.11.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <hostname>
Platform                      Linux <hostname>
                             3.10.0-123.9.2.el7.x86_64 #1 SMP Tue Oct 28
                             18:05:26 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-11-10 11:01:52 CET
Last Seen                     2014-11-10 11:01:52 CET
Local ID                      648efa6e-4a07-4cea-9e57-bf35a19af460

Raw Audit Messages
type=AVC msg=audit(1415613712.270:36592): avc:  denied  { write } for  pid=14251 comm="glusterd" name="glusterd.socket" dev="tmpfs" ino=16965404 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1415613712.270:36592): arch=x86_64 syscall=connect success=no exit=EACCES a0=c a1=7fffcabfe970 a2=6e a3=7fffcabfe8ec items=0 ppid=14250 pid=14251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null)

Hash: glusterd,glusterd_t,var_run_t,sock_file,write
----


Expected results:

glusterd should start without any problems.

Additional info:

We use the following workaround, setting the SELinux type of /var/run/glusterd.socket to glusterd_var_run_t, instead of the default var_run_t that is used for files in /var/run:

----
# semanage fcontext --add --type glusterd_var_run_t /var/run/glusterd.socket
# restorecon /var/run/glusterd.socket
# systemctl start glusterd
----

Comment 2 Milos Malik 2014-11-11 13:17:47 UTC

The rebased selinux-policy in RHEL-7.1 already contains the correct labels:

# rpm -qa selinux-policy\*
selinux-policy-targeted-3.13.1-8.el7.noarch
selinux-policy-sandbox-3.13.1-8.el7.noarch
selinux-policy-minimum-3.13.1-8.el7.noarch
selinux-policy-devel-3.13.1-8.el7.noarch
selinux-policy-doc-3.13.1-8.el7.noarch
selinux-policy-mls-3.13.1-8.el7.noarch
selinux-policy-3.13.1-8.el7.noarch
# matchpathcon /var/run/glusterd.socket
/var/run/glusterd.socket	system_u:object_r:glusterd_var_run_t:s0
# matchpathcon /var/run/glusterd
/var/run/glusterd	system_u:object_r:glusterd_var_run_t:s0
#

Comment 5 Nils Breunese 2014-11-26 17:49:56 UTC

Any chance the fix for glusterd.socket could be backported to 7.0? As far as I know RHEL-7.1 isn't even in beta yet.

Comment 6 Milos Malik 2014-12-02 16:21:55 UTC

Here is the output from "restorecon -Rv /var /run" when selinux-policy-3.13.1-12.el7 is installed:

restorecon reset /run/gluster context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0
restorecon reset /run/gluster/snaps context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0

I'm going to check the new policy.

Comment 7 Milos Malik 2014-12-02 17:03:02 UTC

# rpm -qa selinux-policy\*
selinux-policy-sandbox-3.13.1-13.el7.noarch
selinux-policy-3.13.1-13.el7.noarch
selinux-policy-mls-3.13.1-13.el7.noarch
selinux-policy-targeted-3.13.1-13.el7.noarch
selinux-policy-devel-3.13.1-13.el7.noarch
selinux-policy-doc-3.13.1-13.el7.noarch
selinux-policy-minimum-3.13.1-13.el7.noarch
# rpm -qa gluster\*
glusterfs-api-3.6.0.32-1.el7rhs.x86_64
glusterfs-cli-3.6.0.32-1.el7rhs.x86_64
glusterfs-3.6.0.32-1.el7rhs.x86_64
glusterfs-libs-3.6.0.32-1.el7rhs.x86_64
glusterfs-fuse-3.6.0.32-1.el7rhs.x86_64
glusterfs-server-3.6.0.32-1.el7rhs.x86_64
#

Each time I delete the /var/run/gluster directory, the gluster server creates the directory again. Unfortunately, manual run of restorecon changes the label on that directory:

# restorecon -Rv /var/run/gluster
restorecon reset /run/gluster context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0
restorecon reset /run/gluster/snaps context system_u:object_r:glusterd_var_run_t:s0->system_u:object_r:var_run_t:s0
#

Comment 8 Milos Malik 2014-12-02 17:23:15 UTC

The automated TC does not produce any AVCs. The gluster server also runs without apparent errors.

Comment 10 Miroslav Grepl 2014-12-02 17:44:04 UTC

We define

/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)

So you see

/var/run/gluster

directory, right?

Comment 11 Milos Malik 2014-12-02 17:46:41 UTC

Yes. For the first time I thought about a typo error, but the 'd' letter is really missing:

# rpm -qf /var/run/gluster
glusterfs-3.6.0.32-1.el7rhs.x86_64
#

Comment 12 Nils Breunese 2014-12-02 21:48:35 UTC

Using the packages from http://download.gluster.org/pub/gluster/glusterfs/LATEST/EPEL.repo/epel-7/x86_64/ I also see the directory /var/run/gluster is used:

# rpm -qf /var/run/gluster
glusterfs-3.6.1-1.el7.x86_64

There is no /var/run/glusterd.

Comment 13 Miroslav Grepl 2014-12-12 15:00:25 UTC

commit c19bf130b7c9b1dce504771aa2f9954fa3486fb0
Author: Miroslav Grepl <mgrepl>
Date:   Thu Dec 4 14:17:46 2014 +0100

    Add support for /var/run/gluster.

Comment 14 Nils Breunese 2014-12-12 15:07:19 UTC

(In reply to Miroslav Grepl from comment #13)
> commit c19bf130b7c9b1dce504771aa2f9954fa3486fb0
> Author: Miroslav Grepl <mgrepl>
> Date:   Thu Dec 4 14:17:46 2014 +0100
> 
>     Add support for /var/run/gluster.

It's nice that 3.13.1 will support /var/run/gluster, but this bug report is about /var/run/glusterd.socket and selinux-policy* 3.12.1.

Comment 15 Milos Malik 2014-12-12 15:20:29 UTC

(In reply to Nils Breunese from comment #14)

> It's nice that 3.13.1 will support /var/run/gluster, but this bug report is
> about /var/run/glusterd.socket and selinux-policy* 3.12.1.

selinux-policy-3.12.1-153.el7_0.11 is shipped in z-stream for RHEL-7.0. If you want to fix this problem in RHEL-7.0 channels then you should propose this bug for RHEL-7.0.z. This bug report is part of RHEL-7.1 errata for selinux-policy.

Comment 18 errata-xmlrpc 2015-03-05 10:46:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html

Note You need to log in before you can comment on or make changes to this bug.