Description of problem: A missing rule prevents glusterd from working out of the box Version-Release number of selected component (if applicable): [root@host-01 gluster]# cat /etc/system-release Fedora release 21 (Twenty One) [root@host-01 gluster]# rpm -q selinux-policy selinux-policy-3.13.1-90.fc21.noarch How reproducible: Steps to Reproduce: 1. pkcon install glusterfs-server 2. service glusterd start 3. Create volume Actual results: Denial by selinux Expected results: All goes well Additional info: [root@host-01 gluster]# audit2allow -a -r -e require { type systemd_logind_t; type svirt_tmpfs_t; type glusterd_t; type var_run_t; class sock_file { write unlink }; class file getattr; } #============= glusterd_t ============== # audit(1418385135.939:538): # scontext="system_u:system_r:glusterd_t:s0" tcontext="system_u:object_r:var_run_t:s0" # class="sock_file" perms="write" # comm="glusterd" exe="" path="" # message="type=AVC msg=audit(1418385135.939:538): avc: denied { write } for # pid=1582 comm="glusterd" name="glusterd.socket" dev="tmpfs" ino=26677 # scontext=system_u:system_r:glusterd_t:s0 # tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0" # audit(1418385352.445:566): # scontext="system_u:system_r:glusterd_t:s0" tcontext="system_u:object_r:var_run_t:s0" # class="sock_file" perms="write" # comm="glusterd" exe="" path="" # message="type=AVC msg=audit(1418385352.445:566): avc: denied { write } for # pid=1740 comm="glusterd" name="glusterd.socket" dev="tmpfs" ino=26677 # scontext=system_u:system_r:glusterd_t:s0 # tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1" # audit(1418385352.445:567): # scontext="system_u:system_r:glusterd_t:s0" tcontext="system_u:object_r:var_run_t:s0" # class="sock_file" perms="unlink" # comm="glusterd" exe="" path="" # message="type=AVC msg=audit(1418385352.445:567): avc: denied { unlink } for # pid=1740 comm="glusterd" name="glusterd.socket" dev="tmpfs" ino=26677 # scontext=system_u:system_r:glusterd_t:s0 # tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1" allow glusterd_t var_run_t:sock_file { write unlink };
Hi, Firstly, please update your selinux-policy package. Then, attach output of this: $ matchpathcon /var/run/glusterd.socket I believe this is just mislabeled sock file.
Here you go: [root@host-01 ~]# matchpathcon /var/run/glusterd.socket /var/run/glusterd.socket system_u:object_r:glusterd_var_run_t:s0 There are currently no staged updates for that release.
Use: #restorecon -v /var/run/glusterd.socket to fix it. Please, let me know if this happen again. Thank you.
It was a clean installation! Why should I need to use restorecon on a clean installation!?
Also: The context did not change: [root@host-01 ~]# matchpathcon /var/run/glusterd.socket /var/run/glusterd.socket system_u:object_r:glusterd_var_run_t:s0 [root@host-01 ~]# restorecon -v /var/run/glusterd.socket [root@host-01 ~]# matchpathcon /var/run/glusterd.socket /var/run/glusterd.socket system_u:object_r:glusterd_var_run_t:s0 It does not make sense to run restorecon!
ls -lZ /var/run/glusterd.socket
Lukas, it should be fixed with latest builds. commit 05c8c9f7cfc2f035ea5ab679c81b380f459ca31b Author: Miroslav Grepl <mgrepl> Date: Wed Jan 28 08:40:05 2015 +0100 Allow gluster rpm scriplet create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd. commit cac96f6937c30842dbb36c5de19a657172d120dd Author: Miroslav Grepl <mgrepl> Date: Wed Jan 28 08:36:09 2015 +0100 Add glusterd_filetrans_named_pid() interface.
Thank you Miroslav. Fabian could you try it with this build? http://koji.fedoraproject.org/koji/buildinfo?buildID=608635 Thank you.
selinux-policy-3.13.1-105.9.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.9.fc21
Package selinux-policy-3.13.1-105.9.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.9.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-4492/selinux-policy-3.13.1-105.9.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.9.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.