Bug 1181111 - [RHEL7.0][Gluster] Selinux prevents a creation of glusterfs domains
Summary: [RHEL7.0][Gluster] Selinux prevents a creation of glusterfs domains
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: Unspecified
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard: gluster
Depends On:
Blocks: rhev35rcblocker rhev35gablocker 1177651 1185867
TreeView+ depends on / blocked
 
Reported: 2015-01-12 11:57 UTC by Ori Gofen
Modified: 2016-05-26 01:49 UTC (History)
30 users (show)

Fixed In Version: selinux-policy-3.13.1-16.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1177651
: 1185867 (view as bug list)
Environment:
Last Closed: 2015-03-05 10:48:19 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0458 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-03-05 15:17:00 UTC

Comment 2 Miroslav Grepl 2015-01-12 12:11:08 UTC
What AVC are you getting in permissive mode?

Comment 4 Milos Malik 2015-01-12 12:43:39 UTC
# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Comment 5 Ori Gofen 2015-01-12 15:34:15 UTC
(In reply to Miroslav Grepl from comment #2)
> What AVC are you getting in permissive mode?

from /var/log/messeges I've found avc: denied:

Jan 12 17:22:03 purple-vds2 kernel: type=1400 audit(1421076123.001:23): 
avc:  denied  { name_connect } for  pid=20026 comm="glusterfs" dest=49262 scontext=system_u:system_r:glusterd_t:s0-s0:c
0.c1023 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

that's in permissive mode

ausearch -m avc -m user_avc -m selinux_err -i -ts today didn't prompt results

Comment 6 Miroslav Grepl 2015-01-12 15:40:49 UTC
#============= glusterd_t ==============

#!!!! This avc is allowed in the current policy
allow glusterd_t ephemeral_port_t:tcp_socket name_connect;


What is your version of policy

# rpm -q selinux-policy

Comment 7 Milos Malik 2015-01-12 15:46:27 UTC
It seems that audit daemon is not running on your machine.

# service auditd start

When audit daemon is not running the only sources of audit records are dmesg and /var/log/messages.

Comment 8 Ori Gofen 2015-01-12 16:22:13 UTC
(In reply to Miroslav Grepl from comment #6)
> #============= glusterd_t ==============
> 
> #!!!! This avc is allowed in the current policy
> allow glusterd_t ephemeral_port_t:tcp_socket name_connect;
> 
> 
> What is your version of policy
> 
> # rpm -q selinux-policy

selinux-policy-sandbox-3.12.1-153.el7_0.13.noarch
selinux-policy-targeted-3.12.1-153.el7_0.13.noarch
selinux-policy-3.12.1-153.el7_0.13.noarch
selinux-policy-doc-3.12.1-153.el7_0.13.noarch
selinux-policy-devel-3.12.1-153.el7_0.13.noarch
selinux-policy-minimum-3.12.1-153.el7_0.13.noarch
selinux-policy-mls-3.12.1-153.el7_0.13.noarch

Comment 9 Miroslav Grepl 2015-01-14 06:51:11 UTC
Could you test it with latest RHEL7.1 policy builds? I believe it will work with them.

Comment 10 Ori Gofen 2015-01-14 13:53:21 UTC
(In reply to Miroslav Grepl from comment #9)
> Could you test it with latest RHEL7.1 policy builds? I believe it will work
> with them.

Does not reproduce on 7.1 beta

Comment 11 Dan Kenigsberg 2015-01-15 13:52:55 UTC
Miroslav, fyi, we need this fixed for rhev-3.5.0 which is scheduled to be released on top of rhel-7.0.z.

Comment 12 Miroslav Grepl 2015-01-15 16:05:15 UTC
(In reply to Dan Kenigsberg from comment #11)
> Miroslav, fyi, we need this fixed for rhev-3.5.0 which is scheduled to be
> released on top of rhel-7.0.z.

In this case, we need to get this bugzilla to Modified state and ask for z-stream clone bug.

Comment 17 Allon Mureinik 2015-02-19 11:30:49 UTC
Any news on when this will be released?

Comment 19 errata-xmlrpc 2015-03-05 10:48:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html


Note You need to log in before you can comment on or make changes to this bug.