Bug 1241386 - [SELinux] [nfs-ganesha]: seeing avc denied error message for showmount, while doing a volume start - Rhel6.7
Summary: [SELinux] [nfs-ganesha]: seeing avc denied error message for showmount, while...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.7
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Petr Bokoc
URL:
Whiteboard:
Depends On:
Blocks: 1202842 1212796 1239017 1248520
TreeView+ depends on / blocked
 
Reported: 2015-07-09 07:04 UTC by Prasanth
Modified: 2016-05-10 19:59 UTC (History)
18 users (show)

Fixed In Version: selinux-policy-3.7.19-279.el6
Doc Type: Bug Fix
Doc Text:
Fixed an AVC denial error when setting up *Gluster* storage on NFS Ganesha clusters Attempting to set up Gluster storage on an NFS-Ganesha cluster previously failed due to an Access Vector Cache (AVC) denial error. The responsible SELinux policy has been adjusted to allow handling of volumes mounted by NFS-Ganesha, and the described failure no longer occurs.
Clone Of: 1239017
: 1248520 (view as bug list)
Environment:
Last Closed: 2016-05-10 19:59:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0763 normal SHIPPED_LIVE selinux-policy bug fix update 2016-05-10 22:33:46 UTC

Description Prasanth 2015-07-09 07:04:57 UTC
+++ This bug was initially created as a clone of Bug #1239017 +++

Description of problem:
[selinux] [nfs-ganesha]: seeing avc error message denied for showmount, while doing a volume start - Rhel6.7

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-279.el6.noarch
glusterfs-3.7.1-7.el6rhs.x86_64
nfs-ganesha-2.2.0-3.el6rhs.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Set up ganesha cluster
2. Create a volume
3. Start the volume, you will see avc errors in audit.log

Actual results: avc errors for showmount, even without showmount command being called

Expected results:No avc errors


Additional info:

audit.log :

type=AVC msg=audit(1435940872.438:47126): avc:  denied  { execute } for  pid=19711 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435940872.438:47126): arch=c000003e syscall=21 success=yes exit=0 a0=26f97a0 a1=1 a2=0 a3=14 items=0 ppid=19709 pid=19711 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3660 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435940872.438:47127): avc:  denied  { execute_no_trans } for  pid=19711 comm="S31ganesha-star" path="/usr/sbin/showmount" dev=dm-0 ino=923917 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-07-03 05:18:48 EDT ---

This bug is automatically being proposed for Red Hat Gluster Storage 3.1.0 by setting the release flag 'rhgs‑3.1.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.

--- Additional comment from Prasanth on 2015-07-03 05:21:51 EDT ---

Apeksha, please attach the complete audit.log file to this BZ.

--- Additional comment from  on 2015-07-03 08:49:08 EDT ---

I see the following AVC s while testing Scheduler of Snapshots where we do a volume set operation to create shared storage. 

cat audit.log |audit2allow


#============= glusterd_t ==============
allow glusterd_t showmount_exec_t:file execute;



type=AVC msg=audit(1435907647.630:108317): avc:  denied  { execute } for  pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907647.630:108317): arch=c000003e syscall=21 success=no exit=-13 a0=1ad6340 a1=1 a2=7fff5456a4d0 a3=7fff5456a2f0 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907647.631:108318): avc:  denied  { execute } for  pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907647.631:108318): arch=c000003e syscall=59 success=no exit=-13 a0=1ad6340 a1=1ad6f80 a2=1ad8bb0 a3=7fff5456a410 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907647.631:108319): avc:  denied  { execute } for  pid=14817 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907647.631:108319): arch=c000003e syscall=21 success=no exit=-13 a0=1ad6340 a1=1 a2=7fff5456a4f0 a3=7fff5456a410 items=0 ppid=14815 pid=14817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907679.087:108320): avc:  denied  { execute } for  pid=14957 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907679.087:108320): arch=c000003e syscall=21 success=no exit=-13 a0=175e9b0 a1=1 a2=7fff891a5c60 a3=7fff891a5ab0 items=0 ppid=14954 pid=14957 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/usr/bin/bash" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435907679.087:108321): avc:  denied  { execute } for  pid=14957 comm="S31ganesha-star" name="showmount" dev="dm-1" ino=67811256 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1435907679.087:108321): arch=c000003e syscall=21 success=no exit=-13 a0=175a640 a1=1 a2=7fff891a

--- Additional comment from Milos Malik on 2015-07-03 10:28:54 EDT ---

# cat mypolicy.te
policy_module(mypolicy, 1.0)

require{
 type glusterd_t;
}

mount_domtrans_showmount(glusterd_t)
# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted mypolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/mypolicy.mod
Creating targeted mypolicy.pp policy package
rm tmp/mypolicy.mod.fc tmp/mypolicy.mod
# semodule -i mypolicy.pp
#

--- Additional comment from  on 2015-07-04 04:39:47 EDT ---

Followed Comment 4 and no AVC denials were reported in audit.log messages while testing Scheduler of Snapshots where we do a volume set operation to create shared storage

--- Additional comment from Anil Shah on 2015-07-06 05:07:36 EDT ---

Seen AVC failures while running quota beaker automation test cases.

Info: Searching AVC errors produced since 1435986242.98 (Sat Jul  4 10:34:02 2015)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 07/04/2015 10:34:02 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.6e7wZM 2>&1'
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.290:1607): arch=c000003e syscall=21 success=no exit=-13 a0=aa68b0 a1=1 a2=0 a3=14 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.290:1607): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.290:1608): arch=c000003e syscall=21 success=no exit=-13 a0=aa6160 a1=1 a2=0 a3=13 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.290:1608): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.291:1609): arch=c000003e syscall=59 success=no exit=-13 a0=aa6160 a1=aa6d40 a2=aa8a00 a3=20 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.291:1609): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
----
time->Sat Jul  4 10:34:12 2015
type=SYSCALL msg=audit(1435986252.291:1610): arch=c000003e syscall=21 success=no exit=-13 a0=aa6160 a1=1 a2=0 a3=20 items=0 ppid=21225 pid=21228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="S31ganesha-star" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1435986252.291:1610): avc:  denied  { execute } for  pid=21228 comm="S31ganesha-star" name="showmount" dev=dm-0 ino=1444628 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:showmount_exec_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.6e7wZM | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.RKvgji 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-279.el6.noarch 

Since these are beaker automation test cases, work around will not work.
We need to have fix for this.

--- Additional comment from RHEL Product and Program Management on 2015-07-06 07:51:10 EDT ---

This bug report previously had all acks and release flag approved.
However since at least one of its acks has been changed, the
release flag has been reset to ? by the bugbot (pm-rhel).  The
ack needs to become approved before the release flag can become
approved again.

--- Additional comment from Rejy M Cyriac on 2015-07-06 10:16:58 EDT ---

Accepted as Blocker for RHGS 3.1 at RHGS 3.1 Blocker BZ Status Check meeting on 06 July 2015

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-07-06 10:20:22 EDT ---

Since this bug has been approved for the Red Hat Gluster Storage 3.1.0 release, through release flag 'rhgs-3.1.0+', the Target Release is being automatically set to 'RHGS 3.1.0'

--- Additional comment from Milos Malik on 2015-07-07 03:41:14 EDT ---

Here is a beaker task, which provides the same local policy as comment#4 does. You can prepend it to list of your beaker tasks:

--task "! yum -y install policycoreutils-devel selinux-policy-devel ; echo -en 'policy_module(mypolicy, 1.0)\n\nrequire {\ntype glusterd_t;\n}\n\nmount_domtrans_showmount(glusterd_t)\n' > mypolicy.te ; make -f /usr/share/selinux/devel/Makefile ; semodule -i mypolicy.pp ; semodule -l | grep mypolicy"

--- Additional comment from Milos Malik on 2015-07-07 05:58:52 EDT ---

Non-beaker task form of local policy follows:

# cat bz1239017.te 
policy_module(mypolicy, 1.0)

require {
  type glusterd_t;
}

mount_domtrans_showmount(glusterd_t)

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1239017 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1239017.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1239017.mod
Creating targeted bz1239017.pp policy package
rm tmp/bz1239017.mod.fc tmp/bz1239017.mod
# semodule -i bz1239017.pp
#

--- Additional comment from Prasanth on 2015-07-08 02:23:26 EDT ---

Apeksha, please apply the fix mentioned by Milos in Comment 11 , re-run your tests and confirm if that works.

--- Additional comment from Prasanth on 2015-07-09 02:14:44 EDT ---



--- Additional comment from Apeksha on 2015-07-09 03:01:03 EDT ---

I am not seeing avc denied messages for showmount after using this workaround.

Comment 2 Miroslav Grepl 2015-07-13 07:49:24 UTC
The local policy for testing

# cat gluster_showmount.te
policy_module(gluster_showmount, 1.0)

optional_policy(`
 mount_domtrans_showmount(glusterd_t)
')


# make -f /usr/share/selinux/devel/Makefile gluster_showmount.pp
# semodule -i gluster_showmount.pp

Comment 8 errata-xmlrpc 2016-05-10 19:59:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html


Note You need to log in before you can comment on or make changes to this bug.