1217198 – [SELinux] SELinux prevents execute access for S31ganesha-reset.sh to glusterd

Bug 1217198 - [SELinux] SELinux prevents execute access for S31ganesha-reset.sh to glusterd

Summary: [SELinux] SELinux prevents execute access for S31ganesha-reset.sh to glusterd

Keywords:
Status:	CLOSED DUPLICATE of bug 1215637
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	glusterd
Sub Component:
Version:	rhgs-3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Bug Updates Notification Mailing List
QA Contact:	storage-qa-internal@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-04-29 18:34 UTC by Shruti Sampat
Modified:	2015-07-02 10:18 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-06-19 06:54:58 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Shruti Sampat 2015-04-29 18:34:02 UTC

Description of problem:
------------------------

I see the following AVC errors while running automated tests on RHEL 6.6 via Beaker.

<snip>

time->Tue Apr 28 11:35:30 2015
type=SYSCALL msg=audit(1430220930.760:245): arch=c000003e syscall=59 success=no exit=-8 a0=7f25d0008cb0 a1=7f25d0008a60 a2=c5ef10 a3=8 items=0 ppid=29524 pid=4082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1430220930.760:245): avc:  denied  { execute_no_trans } for  pid=4082 comm="glusterd" path="/var/lib/glusterd/hooks/1/reset/post/S31ganesha-reset.sh" dev=dm-0 ino=522737 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1430220930.760:245): avc:  denied  { execute } for  pid=4082 comm="glusterd" name="S31ganesha-reset.sh" dev=dm-0 ino=522737 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
----
time->Tue Apr 28 11:35:30 2015
type=SYSCALL msg=audit(1430220930.779:246): arch=c000003e syscall=0 success=yes exit=155 a0=5 a1=3db06118c0 a2=3ff a3=0 items=0 ppid=4082 pid=4084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1430220930.779:246): avc:  denied  { sys_ptrace } for  pid=4084 comm="ps" capability=19  scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.ZrfFAZ | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.z5f4z9 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-260.el6.noarch

</snip>

Version-Release number of selected component (if applicable):
--------------------------------------------------------------

I am using upstream nightly builds of glusterfs from here -

http://download.gluster.org/pub/gluster/glusterfs/nightly/glusterfs-3.7/epel-6-x86_64/

How reproducible:
------------------

Saw it once in my automated test runs.

Steps to Reproduce:
--------------------

Running AFR self-heal automated tests on RHEL 6.6

I can provide detailed steps by looking at the tests, but this will take some time.

Actual results:
---------------

Found AVC errors as shown above.

Expected results:
------------------

AVC errors not expected.

Additional info:
-----------------

Unfortunately I have lost access to these machines as they were automatically returned to Beaker after the tests ran. 

The logs that I am referring to are here -

http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2015/04/9430/943074/1943011/30157567/148964209/test_log-SELF-HEAL-TEST-237783-avc.log

The Beaker job can be accessed here -

https://beaker.engineering.redhat.com/jobs/943074

Comment 1 Shruti Sampat 2015-04-30 10:38:21 UTC

Another error that I am seeing in the logs is -

----
time->Tue Apr 28 09:54:02 2015
type=SYSCALL msg=audit(1430214842.316:96): arch=c000003e syscall=2 success=yes exit=4 a0=250b710 a1=c2 a2=180 a3=7fff35aaa8c0 items=0 ppid=16998 pid=17020 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1430214842.316:96): avc:  denied  { create } for  pid=17020 comm="sed" name="sed6hERKA" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=file
----

Comment 3 Prasanth 2015-06-19 06:54:58 UTC

We are tracking all the AVC's related to hook scripts in the following RHGS BZ:

Bug 1215637 - [SELinux] [RHGS-3.1] AVC's of all the executable hooks under /var/lib/glusterd/hooks/ on RHEL-6.7

Hence marking this BZ as a duplicate.

*** This bug has been marked as a duplicate of bug 1215637 ***

Note You need to log in before you can comment on or make changes to this bug.