Description of problem: Selinux : permissive mode Stopping ctdb volume is not removing the share entry from smb.conf and also not removing ctdb config (clustering=yes, backend=tdb2). Looked into the logs and it seems the hook scripts are having issues in running: [2015-04-20 08:35:38.551130] E [run.c:190:runner_log] (--> /usr/lib64/libglusterfs.so.0(_gf_log_callingfn+0x1e0)[0x3856e225e0] (--> /usr/lib64/libglusterfs.so.0(runner_ log+0x105)[0x3856e72ed5] (--> /usr/lib64/glusterfs/3.7dev/xlator/mgmt/glusterd.so(glusterd_hooks_run_hooks+0x444)[0x7f89d97626f4] (--> /usr/lib64/glusterfs/3.7dev/xlato r/mgmt/glusterd.so(+0x562f5)[0x7f89d96e82f5] (--> /usr/lib64/glusterfs/3.7dev/xlator/mgmt/glusterd.so(glusterd_op_commit_perform+0x5a)[0x7f89d96eb43a] ))))) 0-managemen t: Failed to execute script: /var/lib/glusterd/hooks/1/stop/pre/S29CTDB-teardown.sh --volname=ctdb --last=no Checked the audit logs: type=AVC msg=audit(1429519511.119:2114): avc: denied { execute } for pid=24803 comm="S29CTDBsetup.sh" name="hostname" dev=dm-0 ino=794062 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file type=SYSCALL msg=audit(1429519511.119:2114): arch=c000003e syscall=21 success=yes exit=0 a0=2027420 a1=1 a2=0 a3=e items=0 ppid=24796 pid=24803 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=282 comm="S29CTDBsetup.sh" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1429519511.119:2115): avc: denied { execute_no_trans } for pid=24803 comm="S29CTDBsetup.sh" path="/bin/hostname" dev=dm-0 ino=794062 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file Looks like the hook scripts are not allowed to edit smb.conf. Version-Release number of selected component (if applicable): glusterfs-3.7dev-0.952.gita7f1d08.el6.x86_64 samba-4.1.17-4.el6rhs.x86_64 How reproducible: Always Steps to Reproduce: 1.Setup ctdb environment. 2.Stop ctdb volume , check smb.conf entries 3.Check the glusterd logs, audit logs Actual results: Stopping ctdb is not removing (clustering=yes backend=tdb2)entries from smb.conf and there are avc denial messages in audit.log. Expected results: The entries should be removed and clustering should be disabled after stopping the ctdb volume. Additional info:
Tried the test with the latest rpm's on one of the system with selinux disbaled and still the clustering entries are not removed.Seems to be issue with hook script run. taking out the BZ from selinux tracker.
With the latest selinux policy build , with selinux in enforcing mode the AVC's are not seen after setting up CTDB and creating and starting a volume. The clustering entries are removed once the volume is stopped and comes back once the volume is started. Moving the BZ to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html