RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1241386 - [SELinux] [nfs-ganesha]: seeing avc denied error message for showmount, while doing a volume start - Rhel6.7
Summary: [SELinux] [nfs-ganesha]: seeing avc denied error message for showmount, while...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.7
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Petr Bokoc
URL:
Whiteboard:
Depends On:
Blocks: 1202842 1212796 1239017 1248520
TreeView+ depends on / blocked
 
Reported: 2015-07-09 07:04 UTC by Prasanth
Modified: 2016-05-10 19:59 UTC (History)
18 users (show)

Fixed In Version: selinux-policy-3.7.19-279.el6
Doc Type: Bug Fix
Doc Text:
Fixed an AVC denial error when setting up *Gluster* storage on NFS Ganesha clusters Attempting to set up Gluster storage on an NFS-Ganesha cluster previously failed due to an Access Vector Cache (AVC) denial error. The responsible SELinux policy has been adjusted to allow handling of volumes mounted by NFS-Ganesha, and the described failure no longer occurs.
Clone Of: 1239017
: 1248520 (view as bug list)
Environment:
Last Closed: 2016-05-10 19:59:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0763 0 normal SHIPPED_LIVE selinux-policy bug fix update 2016-05-10 22:33:46 UTC

Description Prasanth 2015-07-09 07:04:57 UTC 
+++ This bug was initially created as a clone of Bug #1239017 +++

Description of problem:
[selinux] [nfs-ganesha]: seeing avc error message denied for showmount, while doing a volume start - Rhel6.7

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-279.el6.noarch
glusterfs-3.7.1-7.el6rhs.x86_64
nfs-ganesha-2.2.0-3.el6rhs.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Set up ganesha cluster
2. Create a volume
3. Start the volume, you will see avc errors in audit.log

Actual results: avc errors for showmount, even without showmount command being called

Expected results:No avc errors


Additional info:

audit.log :

type=AVC msg=audit(1435940872.438:47126): avc:  denied  { execute } for  pid=19711 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435940872.438:47126): arch=c000003e syscall=21 success=yes exit=0 a0=26f97a0 a1=1 a2=0 a3=14 items=0 ppid=19709 pid=19711 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3660 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435940872.438:47127): avc:  denied  { execute_no_trans } for  pid=19711 comm="S31ganesha-star" path="/usr/sbin/showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-07-03 05:18:48 EDT ---

This bug is automatically being proposed for Red Hat Gluster Storage 3.1.0 by setting the release flag 'rhgs‑3.1.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.

--- Additional comment from Prasanth on 2015-07-03 05:21:51 EDT ---

Apeksha, please attach the complete audit.log file to this BZ.

--- Additional comment from  on 2015-07-03 08:49:08 EDT ---

I see the following AVC s while testing Scheduler of Snapshots where we do a volume set operation to create shared storage. 

cat audit.log |audit2allow


#============= glusterd_t ==============
allow glusterd_t showmount_exec_t:file execute;



type=AVC msg=audit(1435907647.630:108317): avc:  denied  { execute } for  pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907647.630:108317): arch=c000003e syscall=21 success=no exit=-13 a0=1ad6340 a1=1 a2=7fff5456a4d0 a3=7fff5456a2f0 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907647.631:108318): avc:  denied  { execute } for  pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907647.631:108318): arch=c000003e syscall=59 success=no exit=-13 a0=1ad6340 a1=1ad6f80 a2=1ad8bb0 a3=7fff5456a410 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907647.631:108319): avc:  denied  { execute } for  pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907647.631:108319): arch=c000003e syscall=21 success=no exit=-13 a0=1ad6340 a1=1 a2=7fff5456a4f0 a3=7fff5456a410 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907679.087:108320): avc:  denied  { execute } for  pid=14957 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907679.087:108320): arch=c000003e syscall=21 success=no exit=-13 a0=175e9b0 a1=1 a2=7fff891a5c60 a3=7fff891a5ab0 items=0 ppid=14954 pid=14957 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907679.087:108321): avc:  denied  { execute } for  pid=14957 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907679.087:108321): arch=c000003e syscall=21 success=no exit=-13 a0=175a640 a1=1 a2=7fff891a

--- Additional comment from Milos Malik on 2015-07-03 10:28:54 EDT ---

# cat mypolicy.te
policy_module(mypolicy, 1.0)

require{
 type glusterd_t;
}

mount_domtrans_showmount(glusterd_t)
# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted mypolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/mypolicy.mod
Creating targeted mypolicy.pp policy package
rm tmp/mypolicy.mod.fc tmp/mypolicy.mod
# semodule -i mypolicy.pp
#

--- Additional comment from  on 2015-07-04 04:39:47 EDT ---

Followed Comment 4 and no AVC denials were reported in audit.log messages while testing Scheduler of Snapshots where we do a volume set operation to create shared storage

--- Additional comment from Anil Shah on 2015-07-06 05:07:36 EDT ---

Seen AVC failures while running quota beaker automation test cases.

Info: Searching AVC errors produced since 1435986242.98 (Sat Jul  4 10:34:02 2015)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 07/04/2015 10:34:02 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.6e7wZM 2>&1'
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.290:1607): arch=c000003e syscall=21 success=no exit=-13 a0=aa68b0 a1=1 a2=0 a3=14 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.290:1607): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.290:1608): arch=c000003e syscall=21 success=no exit=-13 a0=aa6160 a1=1 a2=0 a3=13 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.290:1608): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.291:1609): arch=c000003e syscall=59 success=no exit=-13 a0=aa6160 a1=aa6d40 a2=aa8a00 a3=20 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.291:1609): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.291:1610): arch=c000003e syscall=21 success=no exit=-13 a0=aa6160 a1=1 a2=0 a3=20 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.291:1610): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.6e7wZM | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.RKvgji 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-279.el6.noarch 

Since these are beaker automation test cases, work around will not work.
We need to have fix for this.

--- Additional comment from RHEL Product and Program Management on 2015-07-06 07:51:10 EDT ---

This bug report previously had all acks and release flag approved.
However since at least one of its acks has been changed, the
release flag has been reset to ? by the bugbot (pm-rhel).  The
ack needs to become approved before the release flag can become
approved again.

--- Additional comment from Rejy M Cyriac on 2015-07-06 10:16:58 EDT ---

Accepted as Blocker for RHGS 3.1 at RHGS 3.1 Blocker BZ Status Check meeting on 06 July 2015

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-07-06 10:20:22 EDT ---

Since this bug has been approved for the Red Hat Gluster Storage 3.1.0 release, through release flag 'rhgs-3.1.0+', the Target Release is being automatically set to 'RHGS 3.1.0'

--- Additional comment from Milos Malik on 2015-07-07 03:41:14 EDT ---

Here is a beaker task, which provides the same local policy as comment#4 does. You can prepend it to list of your beaker tasks:

--task "! yum -y install policycoreutils-devel selinux-policy-devel ; echo -en 'policy_module(mypolicy, 1.0)\n\nrequire {\ntype glusterd_t;\n}\n\nmount_domtrans_showmount(glusterd_t)\n' > mypolicy.te ; make -f /usr/share/selinux/devel/Makefile ; semodule -i mypolicy.pp ; semodule -l | grep mypolicy"

--- Additional comment from Milos Malik on 2015-07-07 05:58:52 EDT ---

Non-beaker task form of local policy follows:

# cat bz1239017.te 
policy_module(mypolicy, 1.0)

require {
  type glusterd_t;
}

mount_domtrans_showmount(glusterd_t)

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1239017 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1239017.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1239017.mod
Creating targeted bz1239017.pp policy package
rm tmp/bz1239017.mod.fc tmp/bz1239017.mod
# semodule -i bz1239017.pp
#

--- Additional comment from Prasanth on 2015-07-08 02:23:26 EDT ---

Apeksha, please apply the fix mentioned by Milos in Comment 11 , re-run your tests and confirm if that works.

--- Additional comment from Prasanth on 2015-07-09 02:14:44 EDT ---



--- Additional comment from Apeksha on 2015-07-09 03:01:03 EDT ---

I am not seeing avc denied messages for showmount after using this workaround.
Comment 2 Miroslav Grepl 2015-07-13 07:49:24 UTC 
The local policy for testing

# cat gluster_showmount.te
policy_module(gluster_showmount, 1.0)

optional_policy(`
 mount_domtrans_showmount(glusterd_t)
')


# make -f /usr/share/selinux/devel/Makefile gluster_showmount.pp
# semodule -i gluster_showmount.pp
Comment 8 errata-xmlrpc 2016-05-10 19:59:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html
Note You need to log in before you can comment on or make changes to this bug.