Bug 1230129 - [SELinux]: [geo-rep]: AVC logged in RHEL6.7 during geo-replication setup between master and slave volume
Summary: [SELinux]: [geo-rep]: AVC logged in RHEL6.7 during geo-replication setup betw...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: geo-replication
Version: rhgs-3.1
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: ---
: RHGS 3.1.0
Assignee: Bug Updates Notification Mailing List
QA Contact: Rahul Hinduja
URL:
Whiteboard:
Depends On:
Blocks: 1202842 1212796 1223636 1230370
TreeView+ depends on / blocked
 
Reported: 2015-06-10 10:07 UTC by Rahul Hinduja
Modified: 2015-07-29 05:00 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.7.19-278.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1230370 (view as bug list)
Environment:
Last Closed: 2015-07-29 05:00:47 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1495 0 normal SHIPPED_LIVE Important: Red Hat Gluster Storage 3.1 update 2015-07-29 08:26:26 UTC

Description Rahul Hinduja 2015-06-10 10:07:50 UTC 
Description of problem:
=======================

On a cleaned RHEL6.7 cluster for master and slave, ran geo-rep create/start and found the following AVC in audit.log:

[root@georep1 audit]# grep "AVC" /var/log/audit/audit.log
type=AVC msg=audit(1433949908.995:1460): avc:  denied  { execute } for  pid=13164 comm="peer_gsec_creat" name="ssh-keygen" dev=dm-0 ino=1185093 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
type=AVC msg=audit(1433949908.995:1461): avc:  denied  { execute_no_trans } for  pid=13166 comm="peer_gsec_creat" path="/usr/bin/ssh-keygen" dev=dm-0 ino=1185093 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ssh_keygen_exec_t:s0 tclass=file
type=AVC msg=audit(1433949935.007:1462): avc:  denied  { create } for  pid=13644 comm="python" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=rawip_socket
type=AVC msg=audit(1433949935.007:1462): avc:  denied  { net_raw } for  pid=13644 comm="python" capability=13  scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability
type=AVC msg=audit(1433949935.007:1463): avc:  denied  { bind } for  pid=13644 comm="python" lport=1 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=rawip_socket
type=AVC msg=audit(1433949935.007:1463): avc:  denied  { node_bind } for  pid=13644 comm="python" saddr=10.70.46.96 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket
[root@georep1 audit]# 
[root@georep1 audit]# 
[root@georep1 audit]# cat audit.log |audit2allow


#============= glusterd_t ==============
allow glusterd_t node_t:rawip_socket node_bind;
allow glusterd_t self:capability net_raw;
allow glusterd_t self:rawip_socket { bind create };
allow glusterd_t ssh_keygen_exec_t:file { execute execute_no_trans };
[root@georep1 audit]# 


[root@georep1 audit]# rpm -qa | grep selinux
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-targeted-3.7.19-275.el6.noarch
libselinux-python-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-275.el6.noarch
[root@georep1 audit]# 

gluster version:
===============

glusterfs-3.7.1-1.el6rhs.x86_64
Comment 6 Rahul Hinduja 2015-06-23 10:26:30 UTC 
Verified with build:

[root@georep1 scripts]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.7.19-278.el6.noarch
selinux-policy-3.7.19-278.el6.noarch
[root@georep1 scripts]# 


[root@georep1 scripts]# getenforce 
Enforcing
[root@georep1 scripts]# 


Ran the same case as mentioned in the description, AVC's mentioned in this bug are not logged. 

Some other AVC is logged for glusterd_t and logrotate_t  and they are tracked by the bug id 1234298.

Moving this bug to verified state
Comment 7 errata-xmlrpc 2015-07-29 05:00:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1495.html
Note You need to log in before you can comment on or make changes to this bug.