Description of problem: Mount fails on smb client when selinux is running in enforcing mode. Error: **************************** mount -t cifs :/gluster-vol1 /mnt/cifs WARNING: using NFS syntax for mounting CIFS shares is deprecated and will be removed in cifs-utils-6.0. Please migrate to UNC syntax. Password: mount error(5): Input/output error Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Logs: **************************** Apr 29 04:27:12 dhcp159-232.sbu.lab.eng.bos.redhat.com smbd[30091]: STATUS=daemon 'smbd' finished starting up and ready to serve connectionsvol1: Failed to initialize volume (Transport endpoint is not connected) Apr 29 04:27:13 dhcp159-232.sbu.lab.eng.bos.redhat.com smbd[30091]: [2015/04/29 04:27:13.074392, 0] ../source3/smbd/service.c:670(make_connection_snum) Apr 29 04:27:13 dhcp159-232.sbu.lab.eng.bos.redhat.com smbd[30091]: make_connection: VFS make connection failed! AVC: ******************************** type=AVC msg=audit(1430296032.091:611): avc: denied { name_connect } for pid=30091 comm="smbd" dest=24007 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1430296032.091:612): avc: denied { block_suspend } for pid=30096 comm="smbd" capability=36 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability2 sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Version-Release number of selected component (if applicable): samba-4.1.17-5.el6.x86_64 How reproducible: ****************** Always Steps to Reproduce: ******************* 1.Setup samba on RHEL7 , create a volume, 2. mount it on smb client 3. check logs Actual results: ***************** Mount fails with I/O error.got AVC denials. Expected results: ****************** Mount should not fail. Additional info: When tried in permissive mode, mount succeeds.
On a ctdb setup on RHEL7.1 , I still see following AVC's. type=SYSCALL msg=audit(06/25/2015 06:19:22.207:22288) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x3e08 a1=SIG0 a2=0x0 a3=0x0 items=0 ppid=1 pid=15386 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ctdbd exe=/usr/sbin/ctdbd subj=system_u:system_r:ctdbd_t:s0 key=(null) type=AVC msg=audit(06/25/2015 06:19:22.207:22288) : avc: denied { signull } for pid=15386 comm=ctdbd scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process ---- type=SYSCALL msg=audit(06/25/2015 06:19:32.566:22290) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fff1c104608 a1=0x7fff1c1049c8 a2=0x7fff1c104a18 a3=0x7fff1c104440 items=0 ppid=16753 pid=16754 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(06/25/2015 06:19:32.566:22290) : avc: denied { read } for pid=16754 comm=iptables path=/var/lib/ctdb/iptables-ctdb.flock dev="dm-0" ino=67681652 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file
With the policy build selinux-policy-3.13.1-23.el7_1.10.noarch selinux-policy-targeted-3.13.1-23.el7_1.10.noarch I still see AVC's in the the logs. type=AVC msg=audit(07/20/2015 03:29:05.507:1188) : avc: denied { block_suspend } for pid=16066 comm=smbd capability=block_suspend scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability2 type=AVC msg=audit(07/20/2015 03:29:05.512:1189) : avc: denied { net_admin } for pid=16066 comm=smbd capability=net_admin scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability The fixes are in the build selinux-policy-3.13.1-33.el7 of RHEL7.2 which needs to be backported to RHEL7.1.z. Moving the bz to assigned until we get a new selinux policy build for RHEL7.1.z
After updating to selinux policy selinux-policy-3.13.1-23.el7_1.12 , performing ctdb setup, ctdb failover cases and AD integration, all works fine and there are no AVC's seen on RHEL7 based RHGS ISO. Moving the BZ to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html