Description of problem: ======================= During snapshot creation in RHEL 6.7 set up, found the below AVC messages in audit.log [root@inception audit]# grep "AVC" /var/log/audit/audit.log type=AVC msg=audit(1433936948.287:2749): avc: denied { getattr } for pid=22981 comm="xfs_db" path="/dev/dm-65" dev=devtmpfs ino=5511669 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=AVC msg=audit(1433936948.288:2750): avc: denied { read } for pid=22981 comm="xfs_db" name="dm-65" dev=devtmpfs ino=5511669 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=AVC msg=audit(1433936948.288:2750): avc: denied { open } for pid=22981 comm="xfs_db" name="dm-65" dev=devtmpfs ino=5511669 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=AVC msg=audit(1433936948.288:2751): avc: denied { write } for pid=22981 comm="xfs_db" name="dm-65" dev=devtmpfs ino=5511669 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=AVC msg=audit(1433936948.288:2752): avc: denied { ioctl } for pid=22981 comm="xfs_db" path="/dev/dm-65" dev=devtmpfs ino=5511669 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rpm -qa |grep selinux selinux-policy-3.7.19-275.el6.noarch libselinux-2.0.94-5.8.el6.x86_64 libselinux-utils-2.0.94-5.8.el6.x86_64 selinux-policy-targeted-3.7.19-275.el6.noarch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [root@inception audit]# cat audit.log |audit2allow #============= glusterd_t ============== #!!!! The source type 'glusterd_t' can write to a 'blk_file' of the following type: # glusterd_brick_t allow glusterd_t fixed_disk_device_t:blk_file { read write getattr open ioctl }; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gluster --version : glusterfs-3.7.1-1.el6rhs.x86_64 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
gluster version :glusterfs-3.7.1-7.el6rhs.x86_64 rpm -qa |grep selinux libselinux-utils-2.0.94-5.8.el6.x86_64 selinux-policy-targeted-3.7.19-279.el6.noarch libselinux-2.0.94-5.8.el6.x86_64 selinux-policy-3.7.19-279.el6.noarch libselinux-python-2.0.94-5.8.el6.x86_64 With the above builds and following below steps to correct the labels for the brickpath's created, tried few snapshot operations like create,delete,restore list and config with USS enabled on the volumes. There were no AVC denials reported on RHEl6.7 nodes. # semanage fcontext -a -t glusterd_brick_t '/rhs/brick1(/.*)?' # restorecon -Rv /rhs/brick1 Marking the bug 'Verified'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html