Description of problem: ======================= On a cleaned RHEL6.7 cluster for master and slave, ran geo-rep create/start and found the following AVC in audit.log: [root@georep1 audit]# grep "AVC" /var/log/audit/audit.log type=AVC msg=audit(1433949908.995:1460): avc: denied { execute } for pid=13164 comm="peer_gsec_creat" name="ssh-keygen" dev=dm-0 ino=1185093 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file type=AVC msg=audit(1433949908.995:1461): avc: denied { execute_no_trans } for pid=13166 comm="peer_gsec_creat" path="/usr/bin/ssh-keygen" dev=dm-0 ino=1185093 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file type=AVC msg=audit(1433949935.007:1462): avc: denied { create } for pid=13644 comm="python" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=rawip_socket type=AVC msg=audit(1433949935.007:1462): avc: denied { net_raw } for pid=13644 comm="python" capability=13 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability type=AVC msg=audit(1433949935.007:1463): avc: denied { bind } for pid=13644 comm="python" lport=1 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=rawip_socket type=AVC msg=audit(1433949935.007:1463): avc: denied { node_bind } for pid=13644 comm="python" saddr=10.70.46.96 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket [root@georep1 audit]# [root@georep1 audit]# [root@georep1 audit]# cat audit.log |audit2allow #============= glusterd_t ============== allow glusterd_t node_t:rawip_socket node_bind; allow glusterd_t self:capability net_raw; allow glusterd_t self:rawip_socket { bind create }; allow glusterd_t ssh_keygen_exec_t:file { execute execute_no_trans }; [root@georep1 audit]# [root@georep1 audit]# rpm -qa | grep selinux libselinux-2.0.94-5.8.el6.x86_64 libselinux-utils-2.0.94-5.8.el6.x86_64 selinux-policy-targeted-3.7.19-275.el6.noarch libselinux-python-2.0.94-5.8.el6.x86_64 selinux-policy-3.7.19-275.el6.noarch [root@georep1 audit]# gluster version: =============== glusterfs-3.7.1-1.el6rhs.x86_64
Verified with build: [root@georep1 scripts]# rpm -qa | grep selinux-policy selinux-policy-targeted-3.7.19-278.el6.noarch selinux-policy-3.7.19-278.el6.noarch [root@georep1 scripts]# [root@georep1 scripts]# getenforce Enforcing [root@georep1 scripts]# Ran the same case as mentioned in the description, AVC's mentioned in this bug are not logged. Some other AVC is logged for glusterd_t and logrotate_t and they are tracked by the bug id 1234298. Moving this bug to verified state
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html