1242412 – [SELinux] posix: mknod with file type S_IFSOCK fails

Bug 1242412 - [SELinux] posix: mknod with file type S_IFSOCK fails

Summary: [SELinux] posix: mknod with file type S_IFSOCK fails

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	posix
Sub Component:
Version:	rhgs-3.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Pranith Kumar K
QA Contact:	Rahul Hinduja
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-13 09:48 UTC by Saurabh
Modified:	2023-09-14 03:01 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-16 18:00:52 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
nfs11 ganesha.log (8.26 KB, text/plain) 2015-07-13 09:53 UTC, Saurabh	no flags	Details
nfs11 ganesha-gfapi.log (1.80 MB, application/x-xz) 2015-07-13 09:59 UTC, Saurabh	no flags	Details
nfs11 brick log (275.28 KB, text/plain) 2015-07-13 10:00 UTC, Saurabh	no flags	Details
audit.log (5.56 MB, text/plain) 2015-07-14 05:58 UTC, Soumya Koduri	no flags	Details
View All

Description Saurabh 2015-07-13 09:48:15 UTC

Description of problem:
created a volume of 6x2 type, kept the configuration of the volume as default, mean to say that acls disabled and root_squash disabled.

Executed pynfs MKSOCK test and it failed

Version-Release number of selected component (if applicable):
glusterfs-3.7.1-9.el6rhs.x86_64
nfs-ganesha-2.2.0-5.el6rhs.x86_64

How reproducible:
always

Steps to Reproduce:
1.create a volume of type 6x2, start it
2. configure nfs-ganesha, mount the volume with vers=4
3. execute pynfs with MKSOCK as parameter,
time ./testserver.py  -v --outfile ~/pynfs.run.2 --maketree 10.70.44.92:/vol3  --showomit --rundeps  MKSOCK  > /export/pynfs-results-mksock-4.log

Actual results:
result of step3, 
[root@rhsauto009 mnt1]# cat /export/pynfs-results-mksock-4.log 
WARNING - could not create /vol3/tree/socket
MKSOCK   st_create.testSocket                                     : RUNNING
MKSOCK   st_create.testSocket                                     : FAILURE
           CREATE in empty dir should return NFS4_OK, instead got
           NFS4ERR_ACCESS
**************************************************
MKSOCK   st_create.testSocket                                     : FAILURE
           CREATE in empty dir should return NFS4_OK, instead got
           NFS4ERR_ACCESS
**************************************************
Command line asked for 1 of 655 tests
Of those: 0 Skipped, 1 Failed, 0 Warned, 0 Passed


Expected results:
MKSOCK should pass

Additional info:

Comment 2 Saurabh 2015-07-13 09:53:55 UTC

Created attachment 1051352 [details]
nfs11 ganesha.log

Comment 3 Saurabh 2015-07-13 09:59:38 UTC

Created attachment 1051354 [details]
nfs11 ganesha-gfapi.log

Comment 4 Saurabh 2015-07-13 10:00:18 UTC

Created attachment 1051355 [details]
nfs11 brick log

Comment 5 Soumya Koduri 2015-07-13 10:23:24 UTC

From the brick log --> 

[2015-07-13 14:51:26.192714] E [MSGID: 113022] [posix.c:1165:posix_mknod] 0-vol3-posix: mknod on /rhs/brick1/d1r13/tree/socket failed [Permission denied]

Brick process denies creation of the socket files.

Same test passes on our setup (which has selinux disabled)  - 

[root@192 nfs4.0]# ./testserver.py  -v --outfile ~/pynfs.run.1 --maketree 192.168.122.205:/vol1 --showomit --rundeps  MKSOCK
MKSOCK   st_create.testSocket                                     : RUNNING
MKSOCK   st_create.testSocket                                     : PASS
**************************************************
MKSOCK   st_create.testSocket                                     : PASS
**************************************************
Command line asked for 1 of 645 tests
Of those: 0 Skipped, 0 Failed, 0 Warned, 1 Passed
[root@192 nfs4.0]# 

Will check after enabling selinux.

Comment 8 Soumya Koduri 2015-07-13 11:45:02 UTC

I see following AVCs

type=SYSCALL msg=audit(07/13/2015 22:33:25.715:103557) : arch=x86_64 syscall=mknod success=no exit=-13(Permission denied) a0=0x7f3801d3b720 a1=socket,750 a2=0x0 a3=0x7f382703f048 items=0 ppid=1 pid=9046 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=12060 comm=glusterfsd exe=/usr/sbin/glusterfsd subj=unconfined_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(07/13/2015 22:33:25.715:103557) : avc:  denied  { create } for  pid=9046 comm=glusterfsd name=sock scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(07/13/2015 22:33:57.661:103558) : arch=x86_64 syscall=mknod success=no exit=-13(Permission denied) a0=0x7f3801d3b720 a1=socket,750 a2=0x0 a3=0x7f382703f048 items=0 ppid=1 pid=9046 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=12060 comm=glusterfsd exe=/usr/sbin/glusterfsd subj=unconfined_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(07/13/2015 22:33:57.661:103558) : avc:  denied  { create } for  pid=9046 comm=glusterfsd name=sock scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:glusterd_brick_t:s0 tclass=sock_file 
[root@nfs11 fuse_mnt]# 
[root@nfs11 fuse_mnt]# 


[root@nfs11 fuse_mnt]# ls -RZ /rhs/brick1 | grep tmp_brick
drwxr-xr-x. root root unconfined_u:object_r:glusterd_brick_t:s0 tmp_brick
/rhs/brick1/tmp_brick:
[root@nfs11 fuse_mnt]#

Request Milos to look at the logs and update. Thanks!

Comment 9 Soumya Koduri 2015-07-14 05:58:17 UTC

Created attachment 1051624 [details]
audit.log

Comment 10 Soumya Koduri 2015-07-14 05:58:36 UTC

[root@nfs11 ~]# gluster vol info tmp_vol
 
Volume Name: tmp_vol
Type: Distribute
Volume ID: 6c9c840d-b576-4443-adea-9d9f58eceb41
Status: Started
Number of Bricks: 1
Transport-type: tcp
Bricks:
Brick1: 10.70.46.8:/rhs/brick1/tmp_brick
Options Reconfigured:
nfs.disable: on
performance.readdir-ahead: on
cluster.enable-shared-storage: enable
nfs-ganesha: enable
[root@nfs11 ~]# 
[root@nfs11 ~]# ls -RZ /rhs/brick1/tmp_brick/
/rhs/brick1/tmp_brick/:
-rwxr-xr-x. root root unconfined_u:object_r:glusterd_brick_t:s0 fops-sanity
-rw-r--r--. root root unconfined_u:object_r:glusterd_brick_t:s0 fops-sanity.c
[root@nfs11 ~]#

Comment 23 Red Hat Bugzilla 2023-09-14 03:01:53 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.