1243931 – [SELinux]: geo-rep: Mount-Broker: umount of aux mount at slave is denied

Bug 1243931 - [SELinux]: geo-rep: Mount-Broker: umount of aux mount at slave is denied

Summary: [SELinux]: geo-rep: Mount-Broker: umount of aux mount at slave is denied

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	geo-replication
Sub Component:
Version:	rhgs-3.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	RHGS 3.1.1
Assignee:	Bug Updates Notification Mailing List
QA Contact:	Rahul Hinduja
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1245068 1251815 1257883
TreeView+	depends on / blocked

Reported:	2015-07-16 15:37 UTC by Rahul Hinduja
Modified:	2015-08-31 12:56 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1257883 (view as bug list)
Environment:
Last Closed:	2015-08-28 10:18:44 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Rahul Hinduja 2015-07-16 15:37:46 UTC

Description of problem:
=======================

After creating the geo-rep session with non-root user. I tried setting some config options. Which triggered the umount of aux at slave which is denied. 


[root@georep5 scripts]# grep -i "AVC" /var/log/audit/audit.log | grep -v "S31ganesha-star" 
type=AVC msg=audit(1437057872.077:6982): avc:  denied  { read } for  pid=13159 comm="umount" name="mntKsg0rx" dev=dm-0 ino=133903 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
[root@georep5 scripts]# 


[root@georep5 scripts]# ausearch -m avc -i -c umount

----
type=PATH msg=audit(07/16/2015 20:14:32.077:6982) : item=0 name=/var/mountbroker-root/mb_hive/mntKsg0rx inode=133903 dev=fd:00 mode=link,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_t:s0 nametype=NORMAL 
type=CWD msg=audit(07/16/2015 20:14:32.077:6982) :  cwd=/ 
type=SYSCALL msg=audit(07/16/2015 20:14:32.077:6982) : arch=x86_64 syscall=readlink success=no exit=-13(Permission denied) a0=0x7ffe8b0ec410 a1=0x7ffe8b0eb3c0 a2=0x1000 a3=0x7ffe8b0eb110 items=1 ppid=12754 pid=13159 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=572 comm=umount exe=/bin/umount subj=unconfined_u:system_r:mount_t:s0 key=(null) 
type=AVC msg=audit(07/16/2015 20:14:32.077:6982) : avc:  denied  { read } for  pid=13159 comm=umount name=mntKsg0rx dev=dm-0 ino=133903 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file 
[root@georep5 scripts]# 


[root@georep5 scripts]# cat /var/log/audit/audit.log |audit2allow


#============= glusterd_t ==============
allow glusterd_t showmount_exec_t:file execute;

#============= mount_t ==============
allow mount_t var_t:lnk_file read;
[root@georep5 scripts]# 

[root@georep1 scripts]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.7.19-279.el6.noarch
selinux-policy-3.7.19-279.el6.noarch
[root@georep1 scripts]#

Comment 5 Miroslav Grepl 2015-08-19 08:00:13 UTC

Ok we don't have

#============= mount_t ==============

#!!!! This avc is allowed in the current policy
allow mount_t mnt_t:lnk_file read;


in RHEL6. So try to with

$cat mypol.te
policy_module(mypol,1.0)
require{
 type mount_t;
 type mnt_t;
}

allow mount_t mnt_t:lnk_file read;

Comment 6 Milos Malik 2015-08-19 09:09:16 UTC

Could you try following workaround without loading the policy module mentioned in comment#5?

# chcon -R -t home_root_t /var/mountbroker-root
# sesearch -s mount_t -t home_root_t -c lnk_file -p read -A -C
Found 1 semantic av rules:
   allow mount_t home_root_t : lnk_file { read getattr } ; 

#

Comment 8 Rahul Hinduja 2015-08-28 07:16:56 UTC

(In reply to Milos Malik from comment #6)
> Could you try following workaround without loading the policy module
> mentioned in comment#5?
> 
> # chcon -R -t home_root_t /var/mountbroker-root
> # sesearch -s mount_t -t home_root_t -c lnk_file -p read -A -C
> Found 1 semantic av rules:
>    allow mount_t home_root_t : lnk_file { read getattr } ; 
> 
> #

[root@georep7 ~]# rpm -qa | grep selinux-policy 
selinux-policy-targeted-3.7.19-279.el6.noarch
selinux-policy-3.7.19-279.el6.noarch
[root@georep7 ~]# sesearch -s mount_t -t home_root_t -c lnk_file -p read -A -C
Found 1 semantic av rules:
   allow mount_t home_root_t : lnk_file { read getattr } ; 

[root@georep7 ~]# 
[root@georep7 ~]# ls -dZ /var/mountbroker-root
drwx--x--x. root root unconfined_u:object_r:home_root_t:s0 /var/mountbroker-root
[root@georep7 ~]# 
[root@georep7 ~]# ls -Z /var/mountbroker-root
drwx--x--x. root       root unconfined_u:object_r:home_root_t:s0 mb_hive
drwx------. geoaccount root unconfined_u:object_r:home_root_t:s0 user500
[root@georep7 ~]# 

I do not see avc denial after changing the context to home_root as:

[root@georep7 ~]# cat /var/log/audit/audit.log|audit2allow

#============= glusterd_t ==============
allow glusterd_t showmount_exec_t:file execute;
[root@georep7 ~]# grep -i "avc" /var/log/audit/audit.log | grep -v "showmount"[root@georep7 ~]# 

Since in the admin guide, we ask the user to create the directory ("/var/mountbroker-root" is just as example) with permission 0711. We can have additional step to change the context to home_root. 

This bug would be more of doc bug

Comment 9 Rahul Hinduja 2015-08-28 09:05:58 UTC

Thanks to Milos for providing solution. chcon is a temporary solution which restorecon can revert the context. Following 2 steps would be needed in the document after asking the user to create directory with 0711 permission
1. semanage fcontext -a -e /home /var/mountbroker-root
2. restorecon -Rv /var/mountbroker-root

Note You need to log in before you can comment on or make changes to this bug.