1242476 – [SELinux] [nfs-ganesha]: Volume export fails when SELinux is in Enforcing mode - RHEL-7

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1242476 - [SELinux] [nfs-ganesha]: Volume export fails when SELinux is in Enforcing mode - RHEL-7

Summary: [SELinux] [nfs-ganesha]: Volume export fails when SELinux is in Enforcing mod...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	1220999 1222845
Blocks:	1212796 1242487 1244274 1248658
TreeView+	depends on / blocked

Reported:	2015-07-13 12:13 UTC by Prasanth
Modified:	2015-11-19 10:39 UTC (History)
CC List:	18 users (show)
Fixed In Version:	selinux-policy-3.13.1-31.el7
Doc Type:	Bug Fix
Doc Text:	Previously, migrating a Gluster volume on an NFS-Ganesha cluster failed when SELinux was in enforcing mode. The responsible SELinux policy has been corrected, and the described migration now proceeds successfully.
Clone Of:	1222845
Clones:	1248658 (view as bug list)
Environment:
Last Closed:	2015-11-19 10:39:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Prasanth 2015-07-13 12:13:15 UTC

+++ This bug was initially created as a clone of Bug #1222845 +++

+++ This bug was initially created as a clone of Bug #1220999 +++

Description of problem:
The volume set option uses 'gluster vol set volname ganesha.enable on' sends a DBus signal to export/unexport volume.
When SElinux is enabled, the connection is not established. 

12/05/2015 16:05:21 : epoch 5551d769 : nfs1 : ganesha.nfsd-8462[main] gsh_dbus_pkginit BUS :CRIT bus_bus_get failed (An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus"))
12/05/2015 16:05:21 : epoch 5551d769 : nfs1 : ganesha.nfsd-8462[main] gsh_dbus_register_path BUS :CRIT bus_connection_register_object_path called with no DBUS connection

Version-Release number of selected component (if applicable):
glusterfs-3.7.0beta1-0.69.git1a32479.el6.x86_64
nfs-ganesha-2.2.0-0.el6.x86_64
How reproducible:

Steps to Reproduce:
1. create a volume of 6x2 type
2. do nfs-ganesha setup
3. use gluster volume set <volname> ganesha.enable on to export the volume
4. showmount -e localhost

Actual results:
step 4 fails, as volume is not mounted by step 3

issue as mentioned in description section

Expected results:
Selinux should be not a detrrent in exporting a volume

Additional info:

--- Additional comment from Milos Malik on 2015-05-19 05:56:26 EDT ---

Please provide the output of following command:

# ausearch -m user_avc -i -ts today

--- Additional comment from Meghana on 2015-05-19 06:00:14 EDT ---

These are the specific errors reported in /var/log/audit.log

type=AVC msg=audit(1431429023.964:11105): avc:  denied  { write } for  pid=24252 comm="dbus-send" name="system_bus_socket" dev=dm-0 ino=1177367 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1431429023.964:11105): avc:  denied  { connectto } for  pid=24252 comm="dbus-send" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1431429023.978:11106): user pid=1553 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=24252 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


I'll attach the entire log files as an attachment.

--- Additional comment from RHEL Product and Program Management on 2015-05-19 06:00:28 EDT ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Meghana on 2015-05-19 06:09:53 EDT ---



--- Additional comment from Meghana on 2015-05-19 06:12:07 EDT ---

Oh sorry, that flag also got overwritten. Milos Malik, is there anything else
you would need? The machine has SElinux as permissive right now.

ausearch -m user_avc -i -ts today
<no matches>

--- Additional comment from Milos Malik on 2015-05-19 06:26:32 EDT ---

Thanks, the attached audit.log file seems to be sufficient.

--- Additional comment from Miroslav Grepl on 2015-05-19 06:57:04 EDT ---

commit f90cd4ee1e7719b4230fe01b110c514f056b3489
Author: Miroslav Grepl <mgrepl>
Date:   Tue May 19 12:56:34 2015 +0200

    Allow glusterd to connect to /var/run/dbus/system_bus_socket.

--- Additional comment from Prasanth on 2015-05-19 08:48:55 EDT ---

(In reply to Miroslav Grepl from comment #7)
> commit f90cd4ee1e7719b4230fe01b110c514f056b3489
> Author: Miroslav Grepl <mgrepl>
> Date:   Tue May 19 12:56:34 2015 +0200
> 
>     Allow glusterd to connect to /var/run/dbus/system_bus_socket.

Miroslav, Is it possible to back-port the fixes to RHEL6.6 as RHGS3.1 would be based out of 6.6 or is it already been taken care of?

--- Additional comment from Miroslav Grepl on 2015-05-25 07:06:36 EDT ---

(In reply to Prasanth from comment #8)
> (In reply to Miroslav Grepl from comment #7)
> > commit f90cd4ee1e7719b4230fe01b110c514f056b3489
> > Author: Miroslav Grepl <mgrepl>
> > Date:   Tue May 19 12:56:34 2015 +0200
> > 
> >     Allow glusterd to connect to /var/run/dbus/system_bus_socket.
> 
> Miroslav, Is it possible to back-port the fixes to RHEL6.6 as RHGS3.1 would
> be based out of 6.6 or is it already been taken care of?

We need to get all acks and then you need to request z-stream bug.

--- Additional comment from Meghana on 2015-05-26 02:46:31 EDT ---

Hi, is a fix available for this? How and when can I test this for my use case
with NFS-Ganesha?

--- Additional comment from errata-xmlrpc on 2015-05-26 10:05:27 EDT ---

Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHBA-2015:20009-01
https://errata.devel.redhat.com/advisory/20009

--- Additional comment from Milos Malik on 2015-05-26 12:51:49 EDT ---

Based on results of the automated TC, the bug is fixed.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'rlImport 'selinux-policy/common''
:: [ 18:46:48 ] :: [ INFO    ] :: rlImport: Found 'selinux-policy/common', version '6' during upwards traversal
:: [ 18:46:48 ] :: [ INFO    ] :: rlImport: Will try to import selinux-policy/common from /root/selinux-policy/Library/common/lib.sh
setools-console-3.3.7-4.el6.x86_64
expect-5.44.1.15-5.el6_4.x86_64
policycoreutils-python-2.0.83-23.el6.x86_64
:: [   PASS   ] :: Command 'rlImport 'selinux-policy/common'' (Expected 0, got 0)
:: [   PASS   ] :: all required packages are really installed 
selinux-policy-3.7.19-269.el6.noarch
:: [   PASS   ] :: Checking for the presence of selinux-policy rpm 
:: [ 18:46:49 ] :: Package versions:
:: [ 18:46:49 ] ::   selinux-policy-3.7.19-269.el6.noarch
selinux-policy-targeted-3.7.19-269.el6.noarch
:: [   PASS   ] :: Checking for the presence of selinux-policy-targeted rpm 
:: [ 18:46:50 ] :: Package versions:
:: [ 18:46:50 ] ::   selinux-policy-targeted-3.7.19-269.el6.noarch
glusterfs-server-3.6.0.54-1.el6rhs.x86_64
:: [   PASS   ] :: Checking for the presence of glusterfs-server rpm 
:: [ 18:46:50 ] :: Package versions:
:: [ 18:46:50 ] ::   glusterfs-server-3.6.0.54-1.el6rhs.x86_64
glusterd is stopped
:: [ 18:46:51 ] :: [ INFO    ] :: using '/var/tmp/beakerlib-Dq0B8Cq/backup' as backup destination
:: [  BEGIN   ] :: Running 'setenforce 1'
:: [   PASS   ] :: Command 'setenforce 1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
:: [   PASS   ] :: Command 'sestatus' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'semodule -l | grep -i disabled'
rhts	2.0.1	Disabled
:: [   PASS   ] :: Command 'semodule -l | grep -i disabled' (Expected 0,1, got 0)
:: [ 18:46:52 ] :: Setting timestamp 'TIMESTAMP' [05/26/2015 18:46:52]

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1052817
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/var/lib/libvirt/images/netfs	system_u:object_r:virt_image_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/lib/libvirt/images/netfs should contain virt_image_t (Assert: expected 0, got 0)
:: [ 18:46:56 ] :: [ INFO    ] :: checking rule 'allow glusterd_t virt_image_t : dir { write setattr mounton }'
FILTERED RULES
Found 3 semantic av rules:
   allow glusterd_t non_security_file_type : dir mounton ; 
DT allow glusterd_t non_security_file_type : dir { ioctl read getattr lock search open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'setattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'mounton' is present (Assert: '0' should equal '0')
:: [ 18:46:58 ] :: [ INFO    ] :: checking rule 'allow glusterd_t virt_image_t : file { mounton }'
FILTERED RULES
Found 3 semantic av rules:
   allow glusterd_t non_security_file_type : file mounton ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'mounton' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1011963
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 18:46:59 ] :: [ INFO    ] :: checking rule 'allow xm_t tmp_t : dir { getattr search open read lock ioctl }'
FILTERED RULES
Found 3 semantic av rules:
   allow domain tmp_t : dir { getattr search open } ; 
   allow xm_t tmp_t : dir { ioctl read getattr lock search open } ; 
   allow domain base_file_type : dir { getattr search open } ; 
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'search' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'lock' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'ioctl' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#811304
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/usr/sbin/glusterfsd	system_u:object_r:glusterd_exec_t:s0
:: [   PASS   ] :: Result of matchpathcon /usr/sbin/glusterfsd should contain glusterd_exec_t (Assert: expected 0, got 0)
/var/log/glusterfs	system_u:object_r:glusterd_log_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/log/glusterfs should contain glusterd_log_t (Assert: expected 0, got 0)
/var/run/glusterd.pid	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/glusterd.pid should contain glusterd_var_run_t (Assert: expected 0, got 0)
:: [ 18:47:06 ] :: [ INFO    ] :: checking rule 'allow initrc_t glusterd_t : process { transition }'
FILTERED RULES
Found 3 semantic av rules:
   allow initrc_t glusterd_t : process { transition sigchld siginh } ; 
   allow unconfined_domain_type domain : process { fork sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate } ; 
   allow initrc_t domain : process { sigchld sigkill sigstop signull signal getsession getattr } ; 
:: [   PASS   ] ::   check permission 'transition' is present (Assert: '0' should equal '0')
:: [ 18:47:08 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_var_run_t : file { getattr open read write create unlink }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t glusterd_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow glusterd_t non_security_file_type : file mounton ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'unlink' is present (Assert: '0' should equal '0')
:: [ 18:47:10 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_log_t : file { getattr open read write create unlink append }'
FILTERED RULES
Found 5 semantic av rules:
   allow daemon logfile : file { ioctl getattr lock append open } ; 
   allow glusterd_t glusterd_log_t : file { ioctl create getattr setattr lock append open } ; 
   allow glusterd_t non_security_file_type : file mounton ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'unlink' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'append' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1052206
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/usr/sbin/glusterfsd	system_u:object_r:glusterd_exec_t:s0
:: [   PASS   ] :: Result of matchpathcon /usr/sbin/glusterfsd should contain glusterd_exec_t (Assert: expected 0, got 0)
/var/lib	system_u:object_r:var_lib_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/lib should contain var_lib_t (Assert: expected 0, got 0)
/var/lib/glusterd	system_u:object_r:glusterd_var_lib_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/lib/glusterd should contain glusterd_var_lib_t (Assert: expected 0, got 0)
/var/run	system_u:object_r:var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run should contain var_run_t (Assert: expected 0, got 0)
/var/run/glusterd.socket	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/glusterd.socket should contain glusterd_var_run_t (Assert: expected 0, got 0)
/var/run/glusterd.pid	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/glusterd.pid should contain glusterd_var_run_t (Assert: expected 0, got 0)
:: [ 18:47:22 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t var_lib_t : dir glusterd_var_lib_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t var_lib_t : dir glusterd_var_lib_t; 
:: [   PASS   ] ::   check permission 'glusterd_var_lib_t' is present (Assert: '0' should equal '0')
:: [ 18:47:23 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t var_run_t : file glusterd_var_run_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t var_run_t : file glusterd_var_run_t; 
:: [   PASS   ] ::   check permission 'glusterd_var_run_t' is present (Assert: '0' should equal '0')
:: [ 18:47:24 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t var_run_t : dir glusterd_var_run_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t var_run_t : dir glusterd_var_run_t; 
:: [   PASS   ] ::   check permission 'glusterd_var_run_t' is present (Assert: '0' should equal '0')
:: [ 18:47:25 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t var_run_t : sock_file glusterd_var_run_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t var_run_t : sock_file glusterd_var_run_t; 
:: [   PASS   ] ::   check permission 'glusterd_var_run_t' is present (Assert: '0' should equal '0')
:: [ 18:47:26 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_var_lib_t : sock_file { getattr open read write create unlink }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t glusterd_var_lib_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'unlink' is present (Assert: '0' should equal '0')
:: [ 18:47:28 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_var_run_t : sock_file { getattr open read write create unlink }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'unlink' is present (Assert: '0' should equal '0')
:: [ 18:47:29 ] :: [ INFO    ] :: checking rule 'allow glusterd_t var_lib_t : dir { read write add_name remove_name getattr open search }'
FILTERED RULES
Found 8 semantic av rules:
   allow glusterd_t var_lib_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow domain base_file_type : dir { getattr search open } ; 
   allow glusterd_t non_security_file_type : dir mounton ; 
   allow daemon var_lib_t : dir { getattr search open } ; 
DT allow glusterd_t non_security_file_type : dir { ioctl read getattr lock search open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ gluster_export_all_rw ]
EF allow daemon var_lib_t : dir { getattr search open } ; [ daemons_enable_cluster_mode ]
DT allow daemon var_lib_t : dir { getattr search open } ; [ daemons_enable_cluster_mode ]
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'add_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'remove_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'search' is present (Assert: '0' should equal '0')
:: [ 18:47:31 ] :: [ INFO    ] :: checking rule 'allow glusterd_t var_run_t : dir { read write add_name remove_name getattr open search }'
FILTERED RULES
Found 12 semantic av rules:
   allow glusterd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow domain base_file_type : dir { getattr search open } ; 
   allow domain var_run_t : dir { ioctl read getattr lock search open } ; 
   allow glusterd_t non_security_file_type : dir mounton ; 
   allow daemon var_run_t : dir { getattr search open } ; 
ET allow glusterd_t var_run_t : dir { getattr search open } ; [ allow_kerberos ]
DF allow glusterd_t var_run_t : dir { getattr search open } ; [ nscd_use_shm ]
ET allow glusterd_t var_run_t : dir { getattr search open } ; [ nscd_use_shm ]
DT allow glusterd_t non_security_file_type : dir { ioctl read getattr lock search open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ gluster_export_all_rw ]
EF allow daemon var_run_t : dir { getattr search open } ; [ daemons_enable_cluster_mode ]
DT allow daemon var_run_t : dir { getattr search open } ; [ daemons_enable_cluster_mode ]
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'add_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'remove_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'search' is present (Assert: '0' should equal '0')
:: [ 18:47:33 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_t : capability { fsetid kill }'
FILTERED RULES
Found 2 semantic av rules:
   allow glusterd_t glusterd_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid net_bind_service net_admin sys_ptrace sys_admin sys_resource } ; 
DT allow glusterd_t glusterd_t : capability net_bind_service ; [ allow_ypbind ]
:: [   PASS   ] ::   check permission 'fsetid' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'kill' is present (Assert: '0' should equal '0')
:: [ 18:47:35 ] :: [ INFO    ] :: checking rule 'allow glusterd_t rpcd_t : process { sigkill }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t rpcd_t : process { transition sigkill } ; 
:: [   PASS   ] ::   check permission 'sigkill' is present (Assert: '0' should equal '0')
:: [ 18:47:36 ] :: [ INFO    ] :: checking rule 'allow glusterd_t ssh_exec_t : file { getattr open read execute_no_trans }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t non_security_file_type : file mounton ; 
   allow glusterd_t ssh_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'execute_no_trans' is present (Assert: '0' should equal '0')
:: [ 18:47:37 ] :: [ INFO    ] :: checking rule 'allow glusterd_t rsync_exec_t : file { getattr open read execute_no_trans }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t rsync_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ; 
   allow glusterd_t non_security_file_type : file mounton ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'execute_no_trans' is present (Assert: '0' should equal '0')
:: [ 18:47:39 ] :: [ INFO    ] :: checking rule 'allow glusterd_t ldconfig_exec_t : file { getattr open read execute_no_trans }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t ldconfig_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ; 
   allow glusterd_t non_security_file_type : file mounton ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'execute_no_trans' is present (Assert: '0' should equal '0')
:: [ 18:47:41 ] :: [ INFO    ] :: checking rule 'allow glusterd_t mount_exec_t : file { getattr open read execute }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t non_security_file_type : file mounton ; 
   allow glusterd_t mount_exec_t : file { read getattr execute open } ; 
DT allow glusterd_t non_security_file_type : file { ioctl read getattr lock open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'execute' is present (Assert: '0' should equal '0')
:: [ 18:47:42 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t mount_exec_t : process mount_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t mount_exec_t : process mount_t; 
:: [   PASS   ] ::   check permission 'mount_t' is present (Assert: '0' should equal '0')
:: [ 18:47:43 ] :: [ INFO    ] :: checking rule 'allow glusterd_t mount_t : process { transition }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t mount_t : process { transition sigchld } ; 
:: [   PASS   ] ::   check permission 'transition' is present (Assert: '0' should equal '0')
:: [ 18:47:44 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_tmp_t : dir { mounton }'
FILTERED RULES
Found 4 semantic av rules:
   allow glusterd_t non_security_file_type : dir mounton ; 
   allow glusterd_t glusterd_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename mounton add_name remove_name reparent search rmdir open } ; 
DT allow glusterd_t non_security_file_type : dir { ioctl read getattr lock search open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'mounton' is present (Assert: '0' should equal '0')
:: [ 18:47:46 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t tmp_t : file glusterd_tmp_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t tmp_t : file glusterd_tmp_t; 
:: [   PASS   ] ::   check permission 'glusterd_tmp_t' is present (Assert: '0' should equal '0')
:: [ 18:47:47 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t tmp_t : dir glusterd_tmp_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t tmp_t : dir glusterd_tmp_t; 
:: [   PASS   ] ::   check permission 'glusterd_tmp_t' is present (Assert: '0' should equal '0')
:: [ 18:47:48 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t tmp_t : sock_file glusterd_tmp_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t tmp_t : sock_file glusterd_tmp_t; 
:: [   PASS   ] ::   check permission 'glusterd_tmp_t' is present (Assert: '0' should equal '0')
:: [ 18:47:49 ] :: [ INFO    ] :: checking rule 'allow glusterd_t tmp_t : dir { read write add_name remove_name getattr open search }'
FILTERED RULES
Found 7 semantic av rules:
   allow domain tmp_t : dir { getattr search open } ; 
   allow daemon tmp_t : dir { getattr search open } ; 
   allow domain base_file_type : dir { getattr search open } ; 
   allow glusterd_t tmp_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow glusterd_t non_security_file_type : dir mounton ; 
DT allow glusterd_t non_security_file_type : dir { ioctl read getattr lock search open } ; [ gluster_export_all_ro ]
ET allow glusterd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ gluster_export_all_rw ]
:: [   PASS   ] ::   check permission 'read' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'add_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'remove_name' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'open' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'search' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1162125
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/var/run	system_u:object_r:var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run should contain var_run_t (Assert: expected 0, got 0)
/var/run/gluster	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/gluster should contain glusterd_var_run_t (Assert: expected 0, got 0)
/var/run/gluster/snaps	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/gluster/snaps should contain glusterd_var_run_t (Assert: expected 0, got 0)
/var/run/glusterd.socket	system_u:object_r:glusterd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/glusterd.socket should contain glusterd_var_run_t (Assert: expected 0, got 0)
:: [ 18:47:57 ] :: [ INFO    ] :: checking rule 'type_transition glusterd_t var_run_t : sock_file glusterd_var_run_t'
FILTERED RULES
Found 1 semantic te rules:
   type_transition glusterd_t var_run_t : sock_file glusterd_var_run_t; 
:: [   PASS   ] ::   check permission 'glusterd_var_run_t' is present (Assert: '0' should equal '0')
:: [ 18:47:58 ] :: [ INFO    ] :: checking rule 'allow glusterd_t glusterd_var_run_t : sock_file { create write }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1222845
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/var/run/dbus/system_bus_socket	system_u:object_r:system_dbusd_var_run_t:s0
:: [   PASS   ] :: Result of matchpathcon /var/run/dbus/system_bus_socket should contain system_dbusd_var_run_t (Assert: expected 0, got 0)
:: [ 18:48:02 ] :: [ INFO    ] :: checking rule 'allow glusterd_t system_dbusd_t : dbus { send_msg }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t system_dbusd_t : dbus send_msg ; 
:: [   PASS   ] ::   check permission 'send_msg' is present (Assert: '0' should equal '0')
:: [ 18:48:03 ] :: [ INFO    ] :: checking rule 'allow glusterd_t system_dbusd_t : unix_stream_socket { connectto }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t system_dbusd_t : unix_stream_socket connectto ; 
:: [   PASS   ] ::   check permission 'connectto' is present (Assert: '0' should equal '0')
:: [ 18:48:04 ] :: [ INFO    ] :: checking rule 'allow glusterd_t system_dbusd_var_run_t : sock_file { write }'
FILTERED RULES
Found 1 semantic av rules:
   allow glusterd_t system_dbusd_var_run_t : sock_file { write getattr append open } ; 
:: [   PASS   ] ::   check permission 'write' is present (Assert: '0' should equal '0')

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: real scenario -- standalone service
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'echo redhat | passwd --stdin root'
Changing password for user root.
passwd: all authentication tokens updated successfully.
:: [   PASS   ] :: Command 'echo redhat | passwd --stdin root' (Expected 0, got 0)
glusterd_t is defined
:: [  BEGIN   ] :: Running 'service glusterd start'
Starting glusterd:                                         [  OK  ]
:: [   PASS   ] :: Command 'service glusterd start' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -efZ | grep -v " grep " | grep -E "glusterd"'
unconfined_u:system_r:glusterd_t:s0 root 24665     1  0 18:48 ?        00:00:00 /usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "glusterd"' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -efZ | grep -v " grep " | grep -E "glusterd_t.*glusterd"'
unconfined_u:system_r:glusterd_t:s0 root 24665     1  0 18:48 ?        00:00:00 /usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "glusterd_t.*glusterd"' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'service glusterd status'
glusterd (pid  24665) is running...
:: [   PASS   ] :: Command 'service glusterd status' (Expected 0,1,3, got 0)
:: [  BEGIN   ] :: Running 'service glusterd restart'
Starting glusterd:                                         [  OK  ]
:: [   PASS   ] :: Command 'service glusterd restart' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -efZ | grep -v " grep " | grep -E "glusterd"'
unconfined_u:system_r:glusterd_t:s0 root 25440     1  0 18:48 ?        00:00:00 /usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "glusterd"' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -efZ | grep -v " grep " | grep -E "glusterd_t.*glusterd"'
unconfined_u:system_r:glusterd_t:s0 root 25440     1  0 18:48 ?        00:00:00 /usr/sbin/glusterd --pid-file=/var/run/glusterd.pid
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "glusterd_t.*glusterd"' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'service glusterd status'
glusterd (pid  25440) is running...
:: [   PASS   ] :: Command 'service glusterd status' (Expected 0,1,3, got 0)
:: [  BEGIN   ] :: Running 'service glusterd stop'
:: [   PASS   ] :: Command 'service glusterd stop' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'service glusterd status'
glusterd is stopped
:: [   PASS   ] :: Command 'service glusterd status' (Expected 0,1,3, got 3)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Cleanup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 18:48:43 ] :: Search for AVCs and SELINUX_ERRs since timestamp 'TIMESTAMP' [05/26/2015 18:46:52]
:: [  BEGIN   ] :: Running 'LC_TIME='en_US.UTF-8' ausearch -m AVC -m SELINUX_ERR -ts 05/26/2015 18:46:52 2>&1 | grep -v '<no matches>''
:: [   PASS   ] :: Command 'LC_TIME='en_US.UTF-8' ausearch -m AVC -m SELINUX_ERR -ts 05/26/2015 18:46:52 2>&1 | grep -v '<no matches>'' (Expected 1, got 1)
glusterd is stopped

--- Additional comment from Soumya Koduri on 2015-06-02 01:12:00 EDT ---

I have tested it on RHEL6.7 system (which has this fix).

[root@cutlass system.d]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.7 Beta (Santiago)
[root@cutlass system.d]# 
[root@cutlass system.d]# uname -a
Linux cutlass.lab.eng.blr.redhat.com 2.6.32-562.el6.x86_64 #1 SMP Mon May 18 19:34:59 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@cutlass system.d]# 


[root@cutlass system.d]# service messagebus restart
Stopping system message bus:                               [  OK  ]
Starting system message bus:                               [  OK  ]
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# service nfs-ganesha start
Starting ganesha.nfsd:                                     [  OK  ]
[root@cutlass system.d]# showmount -e localhost
Export list for localhost:
/ (everyone)
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# dbus-send --print-reply --system --dest=org.ganesha.nfsd /org/ganesha/nfsd/ExportMgr org.ganesha.nfsd.exportmgr.AddExport string:/etc/ganesha/export_vol1.conf string:"EXPORT(Path=/vol1)"
method return sender=:1.1 -> dest=:1.2 reply_serial=2
   string "1 exports added"
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# showmount -e localhost
Export list for localhost:
/     (everyone)
/vol1 (everyone)
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# 
[root@cutlass system.d]# dbus-send --print-reply --system --dest=org.ganesha.nfsd /org/ganesha/nfsd/ExportMgr org.ganesha.nfsd.exportmgr.RemoveExport uint16:1
method return sender=:1.1 -> dest=:1.4 reply_serial=2
[root@cutlass system.d]# showmount -e localhost
Export list for localhost:
/ (everyone)
[root@cutlass system.d]# 
[root@cutlass system.d]# 

Dynamic volume export/unexport which uses 'dbus' worked now. 
We need this fix to be merged to RHEL6.6 and RHEL7 versions.

--- Additional comment from Soumya Koduri on 2015-06-02 01:28:49 EDT ---

[root@cutlass ~]# getenforce
Enforcing
[root@cutlass ~]# 
[root@cutlass ~]# 
[root@cutlass ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
<no matches>
[root@cutlass ~]#

--- Additional comment from Milos Malik on 2015-06-02 05:28:21 EDT ---

Thanks for re-testing. Switching to VERIFIED.

--- Additional comment from Soumya Koduri on 2015-06-02 05:30:15 EDT ---

Do we need to wait till this fix gets backported to RHEL6.6 / RHEL7 before marking it as Verified?

--- Additional comment from Milos Malik on 2015-06-02 05:45:33 EDT ---

There's no need to wait. For backporting purposes this bug needs to proposed for RHEL-6.6.z and RHEL-7.1.z.

Comment 8 errata-xmlrpc 2015-11-19 10:39:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.