Description of problem: [selinux] [nfs-ganesha]: seeing avc error message denied for showmount, while doing a volume start - Rhel6.7 Version-Release number of selected component (if applicable): selinux-policy-3.7.19-279.el6.noarch glusterfs-3.7.1-7.el6rhs.x86_64 nfs-ganesha-2.2.0-3.el6rhs.x86_64 How reproducible: Always Steps to Reproduce: 1. Set up ganesha cluster 2. Create a volume 3. Start the volume, you will see avc errors in audit.log Actual results: avc errors for showmount, even without showmount command being called Expected results:No avc errors Additional info: audit.log : type=AVC msg=audit(1435940872.438:47126): avc: denied { execute } for pid=19711 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file type=SYSCALL msg=audit(1435940872.438:47126): arch=c000003e syscall=21 success=yes exit=0 a0=26f97a0 a1=1 a2=0 a3=14 items=0 ppid=19709 pid=19711 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3660 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1435940872.438:47127): avc: denied { execute_no_trans } for pid=19711 comm="S31ganesha-star" path="/usr/sbin/showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
Apeksha, please attach the complete audit.log file to this BZ.
I see the following AVC s while testing Scheduler of Snapshots where we do a volume set operation to create shared storage. cat audit.log |audit2allow #============= glusterd_t ============== allow glusterd_t showmount_exec_t:file execute; type=AVC msg=audit(1435907647.630:108317): avc: denied { execute } for pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file type=SYSCALL msg=audit(1435907647.630:108317): arch=c000003e syscall=21 success=no exit=-13 a0=1ad6340 a1=1 a2=7fff5456a4d0 a3=7fff5456a2f0 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1435907647.631:108318): avc: denied { execute } for pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file type=SYSCALL msg=audit(1435907647.631:108318): arch=c000003e syscall=59 success=no exit=-13 a0=1ad6340 a1=1ad6f80 a2=1ad8bb0 a3=7fff5456a410 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1435907647.631:108319): avc: denied { execute } for pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file type=SYSCALL msg=audit(1435907647.631:108319): arch=c000003e syscall=21 success=no exit=-13 a0=1ad6340 a1=1 a2=7fff5456a4f0 a3=7fff5456a410 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1435907679.087:108320): avc: denied { execute } for pid=14957 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file type=SYSCALL msg=audit(1435907679.087:108320): arch=c000003e syscall=21 success=no exit=-13 a0=175e9b0 a1=1 a2=7fff891a5c60 a3=7fff891a5ab0 items=0 ppid=14954 pid=14957 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1435907679.087:108321): avc: denied { execute } for pid=14957 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file type=SYSCALL msg=audit(1435907679.087:108321): arch=c000003e syscall=21 success=no exit=-13 a0=175a640 a1=1 a2=7fff891a
# cat mypolicy.te policy_module(mypolicy, 1.0) require{ type glusterd_t; } mount_domtrans_showmount(glusterd_t) # make -f /usr/share/selinux/devel/Makefile Compiling targeted mypolicy module /usr/bin/checkmodule: loading policy configuration from tmp/mypolicy.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/mypolicy.mod Creating targeted mypolicy.pp policy package rm tmp/mypolicy.mod.fc tmp/mypolicy.mod # semodule -i mypolicy.pp #
Followed Comment 4 and no AVC denials were reported in audit.log messages while testing Scheduler of Snapshots where we do a volume set operation to create shared storage
Seen AVC failures while running quota beaker automation test cases. Info: Searching AVC errors produced since 1435986242.98 (Sat Jul 4 10:34:02 2015) Searching logs... Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 07/04/2015 10:34:02 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.6e7wZM 2>&1' ---- time->Sat Jul 4 10:34:12 2015 type=SYSCALL msg=audit(1435986252.290:1607): arch=c000003e syscall=21 success=no exit=-13 a0=aa68b0 a1=1 a2=0 a3=14 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1435986252.290:1607): avc: denied { execute } for pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file ---- time->Sat Jul 4 10:34:12 2015 type=SYSCALL msg=audit(1435986252.290:1608): arch=c000003e syscall=21 success=no exit=-13 a0=aa6160 a1=1 a2=0 a3=13 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1435986252.290:1608): avc: denied { execute } for pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file ---- time->Sat Jul 4 10:34:12 2015 type=SYSCALL msg=audit(1435986252.291:1609): arch=c000003e syscall=59 success=no exit=-13 a0=aa6160 a1=aa6d40 a2=aa8a00 a3=20 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1435986252.291:1609): avc: denied { execute } for pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file ---- time->Sat Jul 4 10:34:12 2015 type=SYSCALL msg=audit(1435986252.291:1610): arch=c000003e syscall=21 success=no exit=-13 a0=aa6160 a1=1 a2=0 a3=20 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1435986252.291:1610): avc: denied { execute } for pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.6e7wZM | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.RKvgji 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted Running 'rpm -q selinux-policy || true' selinux-policy-3.7.19-279.el6.noarch Since these are beaker automation test cases, work around will not work. We need to have fix for this.
*** Bug 1241155 has been marked as a duplicate of this bug. ***
I am not seeing avc denied messages for showmount after using this workaround.
Filling DOC text as required.
I do not see any showmount AVC on latest rhs3.1 iso for rhel6.7 with selinux-policy-3.7.19-279.el6_7.1 while starting the ganesha volume