Bug 1262225 - [SELinux]: [BACKUP]: Observed avc's during glusterfind cli
[SELinux]: [BACKUP]: Observed avc's during glusterfind cli
Status: NEW
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: glusterfind (Show other bugs)
3.1
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Aravinda VK
Sweta Anandpara
: ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-11 04:23 EDT by Rahul Hinduja
Modified: 2017-12-29 13:26 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rahul Hinduja 2015-09-11 04:23:13 EDT
Description of problem:
=======================

glusterfind pre command returns success but audit.log shows following avc.

[root@georep1 ~]# grep -i "avc" /var/log/audit/audit.log  | grep -v "systemd"
[root@georep1 ~]# 

[root@georep1 ~]# glusterfind pre session1 master temp.txt
Generated output file /root/temp.txt
[root@georep1 ~]# grep -i "avc" /var/log/audit/audit.log  | grep -v "systemd"
type=AVC msg=audit(1441957154.844:141923): avc:  denied  { write } for  pid=26986 comm="glusterfsd" name=".a5f63c1a7a1b82af86f6cf072a3f7bc21315.sock" dev="tmpfs" ino=10960666 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1441957154.861:141924): avc:  denied  { write } for  pid=26950 comm="glusterfsd" name=".4b7a065288ce3187adad4d6439fb4f751352.sock" dev="tmpfs" ino=10961478 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1441957154.867:141925): avc:  denied  { write } for  pid=26968 comm="glusterfsd" name=".293a9e42d026c10ea18f67fc0a437cd81361.sock" dev="tmpfs" ino=10963157 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
[root@georep1 ~]#

[root@georep1 ~]# cat /var/log/audit/audit.log | audit2allow


#============= glusterd_t ==============
allow glusterd_t var_run_t:sock_file write;
[root@georep1 ~]# 

[root@georep1 ~]# glusterfind pre session1 master temp1.txt --regenerate-outfile
Generated output file /root/temp1.txt
[root@georep1 ~]# grep -i "avc" /var/log/audit/audit.log  | grep -v "systemd"
type=AVC msg=audit(1441957154.844:141923): avc:  denied  { write } for  pid=26986 comm="glusterfsd" name=".a5f63c1a7a1b82af86f6cf072a3f7bc21315.sock" dev="tmpfs" ino=10960666 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1441957154.861:141924): avc:  denied  { write } for  pid=26950 comm="glusterfsd" name=".4b7a065288ce3187adad4d6439fb4f751352.sock" dev="tmpfs" ino=10961478 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1441957154.867:141925): avc:  denied  { write } for  pid=26968 comm="glusterfsd" name=".293a9e42d026c10ea18f67fc0a437cd81361.sock" dev="tmpfs" ino=10963157 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1441957287.695:142038): avc:  denied  { write } for  pid=26950 comm="glusterfsd" name=".4b7a065288ce3187adad4d6439fb4f751895.sock" dev="tmpfs" ino=10964236 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1441957287.704:142039): avc:  denied  { write } for  pid=26968 comm="glusterfsd" name=".293a9e42d026c10ea18f67fc0a437cd81901.sock" dev="tmpfs" ino=10963663 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1441957287.706:142040): avc:  denied  { write } for  pid=26986 comm="glusterfsd" name=".a5f63c1a7a1b82af86f6cf072a3f7bc21908.sock" dev="tmpfs" ino=10965197 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
[root@georep1 ~]# cat temp1.txt 
NEW file.1 
NEW file.9 
NEW file.2 
NEW file.3 
NEW file.4 
NEW file.5 
NEW file.10 
NEW file.6 
NEW file.7 
NEW file.8 
[root@georep1 ~]# 


[root@georep1 ~]# rpm -qa | grep selinux-policy 
selinux-policy-3.13.1-23.el7_1.17.noarch
selinux-policy-targeted-3.13.1-23.el7_1.17.noarch
[root@georep1 ~]# 


Version-Release number of selected component (if applicable):
=============================================================

glusterfs-cli-3.7.1-14.el7rhgs.x86_64

How reproducible:
=================

Always
Comment 2 Milos Malik 2015-09-11 04:35:43 EDT
Where are these .sock files located? I believe they should be labeled glusterd_var_run_t instead of var_run_t.
Comment 3 Rahul Hinduja 2015-09-23 03:39:48 EDT
(In reply to Milos Malik from comment #2)
> Where are these .sock files located? I believe they should be labeled
> glusterd_var_run_t instead of var_run_t.

I updated the selinux-policy to: selinux-policy-3.13.1-23.el7_1.18.noarch and ran the same test of glusterfind pre. The AVC's are now are bit different and are as follows:

[root@georep1 scripts]# grep -i "avc" /var/log/audit/audit.log | grep -v systemdtype=AVC msg=audit(1442993617.430:61895): avc:  denied  { connectto } for  pid=24301 comm="glusterfsd" path="/run/gluster/.c19b89ac45352ab8c894d210d136dd5624889.sock" scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1442993617.453:61896): avc:  denied  { connectto } for  pid=24319 comm="glusterfsd" path="/run/gluster/.1c53557c54e8d43b89fcc316baed04a924896.sock" scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1442993617.458:61897): avc:  denied  { connectto } for  pid=24337 comm="glusterfsd" path="/run/gluster/.7276cecc9d436837c6dcbfda8f8e2d3b24909.sock" scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

[root@georep1 scripts]# cat /var/log/audit/audit.log|audit2allow 


#============= glusterd_t ==============
allow glusterd_t unconfined_t:unix_stream_socket connectto;
[root@georep1 scripts]# 

Checked for the labels for the socket file in question and they are correctly labled as glusterd_var_run_t:

[root@georep1 scripts]# ls -lZ /run/gluster/.7276cecc9d436837c6dcbfda8f8e2d3b24909.sock
srwxr-xr-x. root root unconfined_u:object_r:glusterd_var_run_t:s0 /run/gluster/.7276cecc9d436837c6dcbfda8f8e2d3b24909.sock

Note You need to log in before you can comment on or make changes to this bug.