Bug 1173547 - Missing rule to allow glusterd in enforcing mode
Summary: Missing rule to allow glusterd in enforcing mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-12 12:04 UTC by Fabian Deutsch
Modified: 2015-03-31 21:46 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-105.9.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-31 21:46:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Fabian Deutsch 2014-12-12 12:04:35 UTC 
Description of problem:
A missing rule prevents glusterd from working out of the box

Version-Release number of selected component (if applicable):

[root@host-01 gluster]# cat /etc/system-release
Fedora release 21 (Twenty One)

[root@host-01 gluster]# rpm -q selinux-policy
selinux-policy-3.13.1-90.fc21.noarch



How reproducible:


Steps to Reproduce:
1. pkcon install glusterfs-server
2. service glusterd start
3. Create volume

Actual results:
Denial by selinux

Expected results:
All goes well

Additional info:
[root@host-01 gluster]# audit2allow -a -r -e

require {
	type systemd_logind_t;
	type svirt_tmpfs_t;
	type glusterd_t;
	type var_run_t;
	class sock_file { write unlink };
	class file getattr;
}

#============= glusterd_t ==============
# audit(1418385135.939:538):
#  scontext="system_u:system_r:glusterd_t:s0" tcontext="system_u:object_r:var_run_t:s0"
#  class="sock_file" perms="write"
#  comm="glusterd" exe="" path=""
#  message="type=AVC msg=audit(1418385135.939:538): avc:  denied  { write } for
#   pid=1582 comm="glusterd" name="glusterd.socket" dev="tmpfs" ino=26677
#   scontext=system_u:system_r:glusterd_t:s0
#   tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0"
# audit(1418385352.445:566):
#  scontext="system_u:system_r:glusterd_t:s0" tcontext="system_u:object_r:var_run_t:s0"
#  class="sock_file" perms="write"
#  comm="glusterd" exe="" path=""
#  message="type=AVC msg=audit(1418385352.445:566): avc:  denied  { write } for
#   pid=1740 comm="glusterd" name="glusterd.socket" dev="tmpfs" ino=26677
#   scontext=system_u:system_r:glusterd_t:s0
#   tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1"
# audit(1418385352.445:567):
#  scontext="system_u:system_r:glusterd_t:s0" tcontext="system_u:object_r:var_run_t:s0"
#  class="sock_file" perms="unlink"
#  comm="glusterd" exe="" path=""
#  message="type=AVC msg=audit(1418385352.445:567): avc:  denied  { unlink } for
#   pid=1740 comm="glusterd" name="glusterd.socket" dev="tmpfs" ino=26677
#   scontext=system_u:system_r:glusterd_t:s0
#   tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1"
allow glusterd_t var_run_t:sock_file { write unlink };
Comment 1 Lukas Vrabec 2014-12-12 14:42:44 UTC 
Hi, 

Firstly, please update your selinux-policy package. 
Then, attach output of this: 
$ matchpathcon /var/run/glusterd.socket


I believe this is just mislabeled sock file.
Comment 2 Fabian Deutsch 2014-12-12 14:48:01 UTC 
Here you go:

[root@host-01 ~]# matchpathcon /var/run/glusterd.socket
/var/run/glusterd.socket	system_u:object_r:glusterd_var_run_t:s0

There are currently no staged updates for that release.
Comment 3 Lukas Vrabec 2014-12-12 15:06:11 UTC 
Use:
#restorecon -v /var/run/glusterd.socket
to fix it. 

Please, let me know if this happen again. 

Thank you.
Comment 4 Fabian Deutsch 2014-12-12 16:07:16 UTC 
It was a clean installation!

Why should I need to use restorecon on a clean installation!?
Comment 5 Fabian Deutsch 2014-12-12 16:08:06 UTC 
Also: The context did not change:

[root@host-01 ~]# matchpathcon /var/run/glusterd.socket
/var/run/glusterd.socket	system_u:object_r:glusterd_var_run_t:s0
[root@host-01 ~]# restorecon -v /var/run/glusterd.socket
[root@host-01 ~]# matchpathcon /var/run/glusterd.socket
/var/run/glusterd.socket	system_u:object_r:glusterd_var_run_t:s0


It does not make sense to run restorecon!
Comment 6 Daniel Walsh 2014-12-12 17:23:31 UTC 
ls -lZ /var/run/glusterd.socket
Comment 7 Miroslav Grepl 2015-02-03 11:34:30 UTC 
Lukas, it should be fixed with latest builds.

commit 05c8c9f7cfc2f035ea5ab679c81b380f459ca31b
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jan 28 08:40:05 2015 +0100

    Allow gluster rpm scriplet create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.

commit cac96f6937c30842dbb36c5de19a657172d120dd
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jan 28 08:36:09 2015 +0100

    Add glusterd_filetrans_named_pid() interface.
Comment 8 Lukas Vrabec 2015-02-03 13:35:51 UTC 
Thank you Miroslav.

Fabian could you try it with this build?
http://koji.fedoraproject.org/koji/buildinfo?buildID=608635
Thank you.
Comment 9 Fedora Update System 2015-03-23 16:47:49 UTC 
selinux-policy-3.13.1-105.9.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.9.fc21
Comment 10 Fedora Update System 2015-03-26 21:28:01 UTC 
Package selinux-policy-3.13.1-105.9.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.9.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-4492/selinux-policy-3.13.1-105.9.fc21
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2015-03-31 21:46:26 UTC 
selinux-policy-3.13.1-105.9.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.