1209101 – nfs-ganesha: present setup required selinux be disabled

Bug 1209101 - nfs-ganesha: present setup required selinux be disabled

Summary: nfs-ganesha: present setup required selinux be disabled

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	nfs-ganesha
Classification:	Retired
Component:	MainNFSD
Sub Component:
Version:	devel
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Frank Filz
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	qe_tracker_everglades
TreeView+	depends on / blocked

Reported:	2015-04-06 05:56 UTC by Saurabh
Modified:	2016-01-19 06:14 UTC (History)
CC List:	9 users (show)
Fixed In Version:	glusterfs-3.7dev-0.994
Clone Of:
Environment:
Last Closed:	2015-07-30 13:14:20 UTC
Embargoed:

Attachments	(Terms of Use)

Description Saurabh 2015-04-06 05:56:04 UTC

Description of problem:
Present setup of nfs-ganesha HA requires that selinux be disabled. 
This should be the case, as in future moving to have selinux running on storage servers. So it will be helpful if we can overcome this problem of disabling selinux for component

Comment 1 Kaleb KEITHLEY 2015-04-07 10:05:33 UTC

HA works fine with selinux=enforcing.

Please ignore the step 2 in the instructions that say disable selinux.

Comment 2 Saurabh 2015-04-22 03:07:23 UTC

when i try to bring the nfs-ganesha HA setup while selinux is enforced, I get the below messages in /var/log/messages

Also, the HA cluster does not come up,

Apr 21 04:18:07 nfs2 rpc.statd[29055]: Version 1.2.3 starting
Apr 21 04:18:07 nfs2 sm-notify[29057]: Version 1.2.3 starting
Apr 21 04:18:12 nfs2 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /var/lib/glusterd/hooks/1/start/post/S29CTDBsetup.sh. For complete SELinux messages. run sealert -l 084f4c51-b71e-424e-a9cc-71c10a568062
Apr 21 04:18:12 nfs2 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /var/lib/glusterd/hooks/1/start/post/S29CTDBsetup.sh. For complete SELinux messages. run sealert -l 084f4c51-b71e-424e-a9cc-71c10a568062
Apr 21 04:18:12 nfs2 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /bin/hostname. For complete SELinux messages. run sealert -l 56b24c20-2a21-457f-bf2e-9a1eb8fad36f
Apr 21 04:18:12 nfs2 setroubleshoot: SELinux is preventing /bin/hostname from execute_no_trans access on the file /bin/hostname. For complete SELinux messages. run sealert -l ed5a5ff7-db47-493a-ad36-23e0af7ac4ca
Apr 21 04:19:23 nfs2 rpc.statd[29194]: Version 1.2.3 starting
Apr 21 04:19:23 nfs2 sm-notify[29195]: Version 1.2.3 starting
Apr 21 04:43:26 nfs2 kernel: warning: `ganesha.nfsd' uses 32-bit capabilities (legacy support in use)
Apr 21 04:43:26 nfs2 rpc.statd[29194]: Received SM_UNMON_ALL request from nfs2 while not monitoring any hosts
Apr 21 04:43:30 nfs2 setroubleshoot: SELinux is preventing /sbin/consoletype from execute access on the file /sbin/consoletype. For complete SELinux messages. run sealert -l c711bc35-b4a0-48f2-a340-cf3cb6d46926
Apr 21 04:43:30 nfs2 setroubleshoot: SELinux is preventing /sbin/consoletype from execute access on the file /sbin/consoletype. For complete SELinux messages. run sealert -l c711bc35-b4a0-48f2-a340-cf3cb6d46926
Apr 21 04:43:30 nfs2 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /etc/rc.d/init.d/nfs-ganesha. For complete SELinux messages. run sealert -l da02410b-d964-4094-b7dc-4cbf7e06316f
Apr 21 04:43:31 nfs2 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /etc/rc.d/init.d/nfs-ganesha. For complete SELinux messages. run sealert -l da02410b-d964-4094-b7dc-4cbf7e06316f
Apr 21 04:43:31 nfs2 setroubleshoot: SELinux is preventing /usr/bin/ganesha.nfsd from write access on the sock_file /var/run/dbus/system_bus_socket. For complete SELinux messages. run sealert -l 8d65833a-c11b-43ac-a397-ecfe848b656b
Apr 21 04:43:31 nfs2 setroubleshoot: SELinux is preventing /usr/bin/ganesha.nfsd from write access on the sock_file /var/run/dbus/system_bus_socket. For complete SELinux messages. run sealert -l 8d65833a-c11b-43ac-a397-ecfe848b656b
Apr 21 04:43:31 nfs2 setroubleshoot: SELinux is preventing /usr/bin/ganesha.nfsd from write access on the sock_file /var/run/rpcbind.sock. For complete SELinux messages. run sealert -l a6d00967-d6c6-4624-bea4-82e98d39e290

Also, even if I put the selinux to permissiv mode, things still do not work.

Comment 3 Stanislav Graf 2015-04-22 06:48:14 UTC

(In reply to Saurabh from comment #2)
[...]
> Also, even if I put the selinux to permissiv mode, things still do not work.

Maybe this is not a Selinux issue then.

Comment 4 Kaleb KEITHLEY 2015-04-22 13:23:29 UTC

Maybe clone this and assign the clone to Samba team. some of these messages are CTDB. We don't use CTDB.

The rest are ganesha, e.g. /var/run/dbus/system_bus_socket and rpcbind.

Comment 5 Kaleb KEITHLEY 2015-04-22 19:27:40 UTC

FWIW, this is puzzling because I have selinux set to enforcing, ganesha.nfsd runs, and I don't have any of those messages in my /var/log/messages.

Comment 6 Stanislav Graf 2015-05-03 17:32:15 UTC

(In reply to Stanislav Graf from comment #3)
> (In reply to Saurabh from comment #2)
> [...]
> > Also, even if I put the selinux to permissiv mode, things still do not work.
> 
> Maybe this is not a Selinux issue then.

Any update on this?

Comment 7 Prasanth 2015-05-12 13:27:00 UTC

Saurabh,

Could you please re-test this and confirm that SELinux is not causing the issue here as mentioned by Kaleb?

Comment 8 Saurabh 2015-05-13 07:07:47 UTC

I was able to see nfs-ganesha getting spawned on all intended nodes once, selinux is enforced. 
Although we have issue  i.e volume export fails when selinux is enabled, for that I have filed this BZ 1220999.

Note You need to log in before you can comment on or make changes to this bug.