Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1230129 - [SELinux]: [geo-rep]: AVC logged in RHEL6.7 during geo-replication setup between master and slave volume
[SELinux]: [geo-rep]: AVC logged in RHEL6.7 during geo-replication setup betw...
Status: CLOSED ERRATA
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: geo-replication (Show other bugs)
3.1
x86_64 Linux
urgent Severity urgent
: ---
: RHGS 3.1.0
Assigned To: Bug Updates Notification Mailing List
Rahul Hinduja
:
Depends On:
Blocks: 1202842 1212796 1223636 1230370
  Show dependency treegraph
 
Reported: 2015-06-10 06:07 EDT by Rahul Hinduja
Modified: 2015-07-29 01:00 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-278.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1230370 (view as bug list)
Environment:
Last Closed: 2015-07-29 01:00:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1495 normal SHIPPED_LIVE Important: Red Hat Gluster Storage 3.1 update 2015-07-29 04:26:26 EDT

  None (edit)
Description Rahul Hinduja 2015-06-10 06:07:50 EDT 
Description of problem:
=======================

On a cleaned RHEL6.7 cluster for master and slave, ran geo-rep create/start and found the following AVC in audit.log:

[root@georep1 audit]# grep "AVC" /var/log/audit/audit.log
type=AVC msg=audit(1433949908.995:1460): avc:  denied  { execute } for  pid=13164 comm="peer_gsec_creat" name="ssh-keygen" dev=dm-0 ino=1185093 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
type=AVC msg=audit(1433949908.995:1461): avc:  denied  { execute_no_trans } for  pid=13166 comm="peer_gsec_creat" path="/usr/bin/ssh-keygen" dev=dm-0 ino=1185093 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
type=AVC msg=audit(1433949935.007:1462): avc:  denied  { create } for  pid=13644 comm="python" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=rawip_socket
type=AVC msg=audit(1433949935.007:1462): avc:  denied  { net_raw } for  pid=13644 comm="python" capability=13  scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability
type=AVC msg=audit(1433949935.007:1463): avc:  denied  { bind } for  pid=13644 comm="python" lport=1 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=rawip_socket
type=AVC msg=audit(1433949935.007:1463): avc:  denied  { node_bind } for  pid=13644 comm="python" saddr=10.70.46.96 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket
[root@georep1 audit]# 
[root@georep1 audit]# 
[root@georep1 audit]# cat audit.log |audit2allow


#============= glusterd_t ==============
allow glusterd_t node_t:rawip_socket node_bind;
allow glusterd_t self:capability net_raw;
allow glusterd_t self:rawip_socket { bind create };
allow glusterd_t ssh_keygen_exec_t:file { execute execute_no_trans };
[root@georep1 audit]# 


[root@georep1 audit]# rpm -qa | grep selinux
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-targeted-3.7.19-275.el6.noarch
libselinux-python-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-275.el6.noarch
[root@georep1 audit]# 

gluster version:
===============

glusterfs-3.7.1-1.el6rhs.x86_64
Comment 6 Rahul Hinduja 2015-06-23 06:26:30 EDT 
Verified with build:

[root@georep1 scripts]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.7.19-278.el6.noarch
selinux-policy-3.7.19-278.el6.noarch
[root@georep1 scripts]# 


[root@georep1 scripts]# getenforce 
Enforcing
[root@georep1 scripts]# 


Ran the same case as mentioned in the description, AVC's mentioned in this bug are not logged. 

Some other AVC is logged for glusterd_t and logrotate_t  and they are tracked by the bug id 1234298.

Moving this bug to verified state
Comment 7 errata-xmlrpc 2015-07-29 01:00:47 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1495.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.