Description of problem: SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file /var/run/glusterd.socket See AVC messages from /var/log/audit/audit.log below: ###### type=AVC msg=audit(1429685833.450:38): avc: denied { unlink } for pid=2075 comm="glusterd" name="glusterd.socket" dev=dm-0 ino=657155 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1429685833.450:38): arch=c000003e syscall=87 success=yes exit=0 a0=7fffce1f34e2 a1=7fffce1f34e0 a2=6f a3=7faa065f3753 items=0 ppid=2074 pid=2075 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=unconfined_u:system_r:glusterd_t:s0 key=(null) ###### Version-Release number of selected component (if applicable): ##### glusterfs-fuse-3.7dev-0.1009.git8b987be.el6.x86_64 glusterfs-cli-3.7dev-0.1009.git8b987be.el6.x86_64 glusterfs-3.7dev-0.1009.git8b987be.el6.x86_64 glusterfs-server-3.7dev-0.1009.git8b987be.el6.x86_64 glusterfs-libs-3.7dev-0.1009.git8b987be.el6.x86_64 glusterfs-api-3.7dev-0.1009.git8b987be.el6.x86_64 samba-vfs-glusterfs-4.1.17-4.el6rhs.x86_64 ##### How reproducible: Always Steps to Reproduce: 1. Install the RHEL6 glusterfs 3.7 nightly builds from http://download.gluster.org/pub/gluster/glusterfs/nightly/glusterfs-3.7/epel-6-x86_64/ 2. Check for the AVC's in /var/log/audit/audit.log 3. Actual results: Above mentioned AVC is seen in the logs. Expected results: If you believe that glusterfsd should be allowed unlink access on the glusterd.socket sock_file by default, please consider fixing it.
The socket is mislabeled: # restorecon -Rv /var/run/glusterd.socket
Correct label for the socket is: # matchpathcon /var/run/glusterd.socket /var/run/glusterd.socket system_u:object_r:glusterd_var_run_t:s0 # and allow rule for the operation is present: # sesearch -s glusterd_t -t glusterd_var_run_t -c sock_file -p unlink -A -C Found 1 semantic av rules: allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; #
These AVC's are generated only after we manually try to start 'glusterd' after the rpm installation. Based on my testing, what I understand is that, if we do a proper clean-up after rpm installation, '/var/run/glusterd.socket' file wouldn't exist in the system and throw these AVC's after we start glusterd manually. The 'glusterd.socket' file is first created by rpm scriptlet as part of a start and stop operation done in the post upgrade script to re-generate the configuration files. During the process it gets a wrong label of "var_run_t" as we don't have filename transition rules in RHEL-6. So the write access [1] and unlink access [2] required on the sock_file '/var/run/glusterd.socket' while manually starting 'glusterd' is prevented by SELinux, which is what we see in AVC's. However, the thing to be noted is that, on starting 'glusterd' using '#service glusterd start' or '#/etc/init.d/glusterd start', it actually regains the right label of "glusterd_var_run_t". So the fix that you posted in [3] is actually trying to do a 'restorecon' on the leftover 'glusterd.socket' file to avoid these AVC's. But instead, if we actually do a proper clean-up post rpm installation, this file that leads to this situation, wouldn't exists at all. Please go through my comment and see if my understand is correct and it makes sense. Meanwhile, i'll open a new BZ for cleaning up the left-over socket file! [1] https://bugzilla.redhat.com/show_bug.cgi?id=1214253 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1214258 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1210404 Additional Info: ##### [root@dhcp42-246 run]# rpm -qa |grep gluster glusterfs-fuse-3.7.0-2.el6rhs.x86_64 glusterfs-libs-3.7.0-2.el6rhs.x86_64 glusterfs-client-xlators-3.7.0-2.el6rhs.x86_64 glusterfs-api-3.7.0-2.el6rhs.x86_64 glusterfs-3.7.0-2.el6rhs.x86_64 glusterfs-cli-3.7.0-2.el6rhs.x86_64 glusterfs-server-3.7.0-2.el6rhs.x86_64 [root@dhcp42-246 run]# /etc/init.d/glusterd status glusterd is stopped [root@dhcp42-246 run]# ls -lZ glusterd.socket srwxr-xr-x. root root unconfined_u:object_r:var_run_t:s0 glusterd.socket [root@dhcp42-246 run]# /etc/init.d/glusterd start Starting glusterd: [ OK ] [root@dhcp42-246 run]# ls -lZ glusterd.socket srwxr-xr-x. root root unconfined_u:object_r:glusterd_var_run_t:s0 glusterd.socket [root@dhcp42-246 run]# /etc/init.d/glusterd status glusterd (pid 5278) is running... ##### -Prasanth
Anand/Prasanth, Can we mark this bug duplicate of 1223185 ?
Anand, If you are sure that this BZ is also fixed by the patch provided in Bug 1224639, you may have to move this BZ to ON_QA with the FIV for further QE verification. Thanks, Prasanth
Yes ... This patch https://code.engineering.redhat.com/gerrit/#/c/49604/ fixes the this bug. Fix is available in next build.
Verified as fixed in glusterfs-3.7.1-3.el6rhs.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html