Bug 1212923 - [SELinux]: [Snapshot]: SELinux policy updates required in RHEL-7.1 for gluster-snapshot
Summary: [SELinux]: [Snapshot]: SELinux policy updates required in RHEL-7.1 for gluste...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
unspecified
high
Target Milestone: pre-dev-freeze
: 7.1
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1212796 1231930 1232134
TreeView+ depends on / blocked
 
Reported: 2015-04-17 16:54 UTC by RamaKasturi
Modified: 2015-11-19 10:32 UTC (History)
18 users (show)

Fixed In Version: selinux-policy-3.13.1-29.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1231930 1232134 (view as bug list)
Environment:
Last Closed: 2015-11-19 10:32:14 UTC
Target Upstream Version:


Attachments (Terms of Use)
audit.log (42.61 KB, text/plain)
2015-06-15 14:34 UTC, senaik
no flags Details
audit.log (42.61 KB, text/plain)
2015-06-15 14:35 UTC, senaik
no flags Details
audot logs for comment 29 (1.54 MB, text/plain)
2015-06-17 12:10 UTC, senaik
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1222614 0 low CLOSED Misleading error message during snapshot creation 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2015:2300 0 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Internal Links: 1222614

Description RamaKasturi 2015-04-17 16:54:32 UTC
Description of problem:
Snapshot create fails in RHEL7 when selinux is in Enforcing mode. Run the command  "gluster snapshot create <snapName> "

snapshot create: failed: Snapshot is supported only for thin provisioned LV. Ensure that all bricks of vol1 are thinly provisioned LV.
Snapshot command failed


Snapshot creation succeeds on RHEL7 when selinux is in permissive mode.

Version-Release number of selected component (if applicable):
glusterfs-3.7dev-0.994.gitf522001.el7.centos.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL7 machine
2. Install glusterfs rpms.
3. Create a volume and start it.
4. Now create a snapshot by running the command "gluster snapshot create <snapName> "

Actual results:
Snapshot creation fails when selinux is in Enforcing mode on RHEL7.
Snapshot creation suceeds when selinux is in permissive mode on RHEL7.

Expected results:
Snapshot creation should succeed when selinux is in Enforcing mode in RHEL7.

Additional info:

Comment 3 Milos Malik 2015-04-20 09:40:02 UTC
glusterd_t is a permissive domain in RHEL-6.7, but glusterd_t is not a permissive domain in RHEL-7.1. That's why glusterd cannot execute lvm or xfs_growfs programs (see the attachment).

Comment 4 Niels de Vos 2015-04-21 12:28:06 UTC
Moving from the GlusterFS product to RHEL-7/selinux-policy.

Comment 8 Miroslav Grepl 2015-06-10 14:34:03 UTC
$ sesearch -A -s glusterd_t -t lvm_t -c process
Found 1 semantic av rules:
   allow glusterd_t lvm_t : process transition ; 

$ sesearch -A -s glusterd_t -t fsadm_t -c process
Found 1 semantic av rules:
   allow glusterd_t fsadm_t : process transition ;

$ matchpathcon /var/lib/glusterd/hooks/*/*.sh
/var/lib/glusterd/hooks/*/*.sh	system_u:object_r:bin_t:s0

Comment 12 RamaKasturi 2015-06-11 10:10:58 UTC
I see the following avc in the system. Can you check if this has to be fixed?

#============= glusterd_t ==============
allow glusterd_t fixed_disk_device_t:blk_file getattr;

#!!!! This avc is allowed in the current policy
allow glusterd_t random_device_t:chr_file getattr;

Comment 13 Milos Malik 2015-06-11 10:44:50 UTC
Could you attach the SELinux denials? We can work around both issues, but I would like to see if there is something new that I missed.

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Comment 14 RamaKasturi 2015-06-11 10:57:29 UTC
Hi Milos,

 I have run the command mentioned in  comment 13 and attached the output file in the link below.

http://rhsqe-repo.lab.eng.blr.redhat.com/sosreports/rhsc/1212923/

Thanks
kasturi

Comment 15 Milos Malik 2015-06-11 11:18:59 UTC
The /dev/log is mislabeled on your machine.

# ls -Z /dev/log

Please run following command to fix it:

# restorecon -v /dev/log

All denials in the attachment are caused by this issue.

Comment 16 senaik 2015-06-11 11:51:59 UTC
Snapshot creation is successful with SELinux in Enforcing mode on RHEL7.1 but I see the following AVC logged in audit.log
 
--------------------Part of audit.log---------------------

type=SYSCALL msg=audit(1434024359.865:469285): arch=c000003e syscall=42 success=no exit=-13 a0=a a1=7f0eef7ad740 a2=6e a3=3d items=0 ppid=1 pid=1215 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1434024359.865:469286): avc:  denied  { write } for  pid=1215 comm="setroubleshootd" name="log" dev="devtmpfs" ino=8426 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1434024359.865:469286): arch=c000003e syscall=42 success=no exit=-13 a0=a a1=7f0eef7ad740 a2=6e a3=34 items=0 ppid=1 pid=1215 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1434024359.865:469287): avc:  denied  { write } for  pid=1215 comm="setroubleshootd" name="log" dev="devtmpfs" ino=8426 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1434024359.865:469287): arch=c000003e syscall=42 success=no exit=-13 a0=a a1=7f0eef7ad740 a2=6e a3=40 items=0 ppid=1 pid=1215 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)

-----------------------------------------------------------------
 cat audit.log |audit2allow


#============= audisp_t ==============
allow audisp_t device_t:sock_file write;

#============= auditd_t ==============
allow auditd_t device_t:sock_file write;

#============= setroubleshootd_t ==============
allow setroubleshootd_t device_t:sock_file write;

-----------------------------------------------------------------
rpm -qa |grep selinux
selinux-policy-3.13.1-26.el7.noarch
selinux-policy-targeted-3.13.1-26.el7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
libselinux-2.2.2-6.el7.x86_64

Comment 17 Milos Malik 2015-06-11 12:01:31 UTC
You see the same problem as kasturi. Please follow comment#15.

Comment 18 senaik 2015-06-12 11:56:41 UTC
Hi Milos, 

Followed steps in comment15, I see the below AVC after snapshot creation:

type=AVC msg=audit(1434111195.127:16089268): avc:  denied  { getattr } for  pid=27395 comm="xfs_db" path="/dev/dm-23" dev="devtmpfs" ino=21845028 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1434111195.127:16089268): arch=c000003e syscall=4 success=no exit=-13 a0=7fff292f4f15 a1=7fff292f2fb0 a2=7fff292f2fb0 a3=7fff292f2d30 items=0 ppid=27392 pid=27395 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xfs_db" exe="/usr/sbin/xfs_db" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1434111195.137:16089269): avc:  denied  { getattr } for  pid=27400 comm="xfs_db" path="/dev/dm-24" dev="devtmpfs" ino=21845031 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1434111195.137:16089269): arch=c000003e syscall=4 success=no exit=-13 a0=7fff15d2ef15 a1=7fff15d2ce90 a2=7fff15d2ce90 a3=7fff15d2cc10 items=0 ppid=27396 pid=27400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xfs_db" exe="/usr/sbin/xfs_db" subj=system_u:system_r:glusterd_t:s0 key=(null)

cat audit.log |audit2allow


#============= glusterd_t ==============
allow glusterd_t fixed_disk_device_t:blk_file getattr;


rpm -qa |grep selinux
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-27.el7.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-27.el7.noarch

Comment 19 Milos Malik 2015-06-12 12:36:11 UTC
Following commands (executed before your tests) should help here:

# semanage fcontext -a -t fsadm_exec_t /usr/sbin/xfs_db
# restorecon -Rv /usr/sbin

Comment 20 senaik 2015-06-15 07:19:59 UTC
Hi Miroslav, 

I see the bug has been moved to Assigned state. Could you please let us know why this has been done?

Comment 21 senaik 2015-06-15 11:39:12 UTC
Scheduler fails to create snapshots on RHEL7.1 when SELinux is in Enforcing mode.

When SELinux is in Permissive mode, Scheduler creates snapshots but I see the below AVC 

grep "AVC" /var/log/audit/audit.log
type=USER_AVC msg=audit(1434380101.086:4771): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1434385206.279:4911): avc:  denied  { getattr } for  pid=12694 comm="xfs_db" path="/dev/dm-23" dev="devtmpfs" ino=271817 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1434385206.279:4912): avc:  denied  { read } for  pid=12694 comm="xfs_db" name="dm-23" dev="devtmpfs" ino=271817 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1434385206.279:4912): avc:  denied  { open } for  pid=12694 comm="xfs_db" path="/dev/dm-23" dev="devtmpfs" ino=271817 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1434385206.279:4913): avc:  denied  { write } for  pid=12694 comm="xfs_db" name="dm-23" dev="devtmpfs" ino=271817 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1434385206.279:4914): avc:  denied  { ioctl } for  pid=12694 comm="xfs_db" path="/dev/dm-23" dev="devtmpfs" ino=271817 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

==============================================================

rpm -qa |grep selinux
selinux-policy-targeted-3.13.1-27.el7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-27.el7.noarch

================================================================
cat audit.log |audit2allow 


#============= glusterd_t ==============
allow glusterd_t fixed_disk_device_t:blk_file { read write getattr open ioctl };

Comment 22 senaik 2015-06-15 14:26:04 UTC
Executed following commands and tried snapshot operations, no avc were reported in the log. 

# semanage fcontext -a -t fsadm_exec_t /usr/sbin/xfs_db
# restorecon -Rv /usr/sbin

Using scheduler to create snapshots does not work in 'Enforcing' mode. 

Tried scheduling snapshots with SElinux in Permissive mode and snapshots were created successfully and no avc denials were reported in the log

Comment 23 senaik 2015-06-15 14:30:35 UTC
ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=USER_AVC msg=audit(06/16/2015 00:55:01.251:6173) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/16/2015 00:55:01.251:6174) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=6)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/16/2015 01:01:01.884:6186) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'

Comment 24 senaik 2015-06-15 14:34:48 UTC
Created attachment 1039073 [details]
audit.log

Comment 25 senaik 2015-06-15 14:35:20 UTC
Created attachment 1039074 [details]
audit.log

Comment 27 senaik 2015-06-16 11:20:33 UTC
Executed the following commands and tried few more snapshot operations faced below avc denials: 

semanage fcontext -a -t fsadm_exec_t /usr/sbin/xfs_db
restorecon -Rv /usr/sbin
restorecon -v /dev/log

grep "AVC" /var/log/audit/audit.log
type=USER_AVC msg=audit(1434468618.176:4239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=10)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1434468674.231:4356): avc:  denied  { getattr } for  pid=15490 comm="glusterd" path="/dev/dm-23" dev="devtmpfs" ino=2083192 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
[root@rhsqe-vm07 audit]#  cat audit.log |audit2allow 


#============= glusterd_t ==============
allow glusterd_t fixed_disk_device_t:blk_file getattr;



rpm -qa |grep selinux
selinux-policy-3.13.1-27.el7.noarch
selinux-policy-targeted-3.13.1-27.el7.noarch
libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64

Comment 28 Miroslav Grepl 2015-06-16 14:19:49 UTC
Please test it with the latest policy builds.

-28.el7 builds

Comment 29 senaik 2015-06-17 12:07:28 UTC
Used Scheduler to create Snapshots in Permissive mode,I was able to see the below avc in the log. 

grep "AVC" /var/log/audit/audit.log
type=AVC msg=audit(1434560953.008:31062): avc:  denied  { sigkill } for  pid=21362 comm="glusterfs" scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


cat audit.log |audit2allow 


#============= glusterd_t ==============
allow glusterd_t unconfined_t:process sigkill;


rpm -qa |grep selinux
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-28.el7.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-28.el7.noarch

Comment 30 senaik 2015-06-17 12:10:39 UTC
Created attachment 1039903 [details]
audot logs for comment 29

Comment 34 errata-xmlrpc 2015-11-19 10:32:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html


Note You need to log in before you can comment on or make changes to this bug.