Description of problem: ======================= glusterfind pre command returns success but audit.log shows following avc. [root@georep1 ~]# grep -i "avc" /var/log/audit/audit.log | grep -v "systemd" [root@georep1 ~]# [root@georep1 ~]# glusterfind pre session1 master temp.txt Generated output file /root/temp.txt [root@georep1 ~]# grep -i "avc" /var/log/audit/audit.log | grep -v "systemd" type=AVC msg=audit(1441957154.844:141923): avc: denied { write } for pid=26986 comm="glusterfsd" name=".a5f63c1a7a1b82af86f6cf072a3f7bc21315.sock" dev="tmpfs" ino=10960666 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1441957154.861:141924): avc: denied { write } for pid=26950 comm="glusterfsd" name=".4b7a065288ce3187adad4d6439fb4f751352.sock" dev="tmpfs" ino=10961478 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1441957154.867:141925): avc: denied { write } for pid=26968 comm="glusterfsd" name=".293a9e42d026c10ea18f67fc0a437cd81361.sock" dev="tmpfs" ino=10963157 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file [root@georep1 ~]# [root@georep1 ~]# cat /var/log/audit/audit.log | audit2allow #============= glusterd_t ============== allow glusterd_t var_run_t:sock_file write; [root@georep1 ~]# [root@georep1 ~]# glusterfind pre session1 master temp1.txt --regenerate-outfile Generated output file /root/temp1.txt [root@georep1 ~]# grep -i "avc" /var/log/audit/audit.log | grep -v "systemd" type=AVC msg=audit(1441957154.844:141923): avc: denied { write } for pid=26986 comm="glusterfsd" name=".a5f63c1a7a1b82af86f6cf072a3f7bc21315.sock" dev="tmpfs" ino=10960666 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1441957154.861:141924): avc: denied { write } for pid=26950 comm="glusterfsd" name=".4b7a065288ce3187adad4d6439fb4f751352.sock" dev="tmpfs" ino=10961478 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1441957154.867:141925): avc: denied { write } for pid=26968 comm="glusterfsd" name=".293a9e42d026c10ea18f67fc0a437cd81361.sock" dev="tmpfs" ino=10963157 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1441957287.695:142038): avc: denied { write } for pid=26950 comm="glusterfsd" name=".4b7a065288ce3187adad4d6439fb4f751895.sock" dev="tmpfs" ino=10964236 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1441957287.704:142039): avc: denied { write } for pid=26968 comm="glusterfsd" name=".293a9e42d026c10ea18f67fc0a437cd81901.sock" dev="tmpfs" ino=10963663 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1441957287.706:142040): avc: denied { write } for pid=26986 comm="glusterfsd" name=".a5f63c1a7a1b82af86f6cf072a3f7bc21908.sock" dev="tmpfs" ino=10965197 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file [root@georep1 ~]# cat temp1.txt NEW file.1 NEW file.9 NEW file.2 NEW file.3 NEW file.4 NEW file.5 NEW file.10 NEW file.6 NEW file.7 NEW file.8 [root@georep1 ~]# [root@georep1 ~]# rpm -qa | grep selinux-policy selinux-policy-3.13.1-23.el7_1.17.noarch selinux-policy-targeted-3.13.1-23.el7_1.17.noarch [root@georep1 ~]# Version-Release number of selected component (if applicable): ============================================================= glusterfs-cli-3.7.1-14.el7rhgs.x86_64 How reproducible: ================= Always
Where are these .sock files located? I believe they should be labeled glusterd_var_run_t instead of var_run_t.
(In reply to Milos Malik from comment #2) > Where are these .sock files located? I believe they should be labeled > glusterd_var_run_t instead of var_run_t. I updated the selinux-policy to: selinux-policy-3.13.1-23.el7_1.18.noarch and ran the same test of glusterfind pre. The AVC's are now are bit different and are as follows: [root@georep1 scripts]# grep -i "avc" /var/log/audit/audit.log | grep -v systemdtype=AVC msg=audit(1442993617.430:61895): avc: denied { connectto } for pid=24301 comm="glusterfsd" path="/run/gluster/.c19b89ac45352ab8c894d210d136dd5624889.sock" scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1442993617.453:61896): avc: denied { connectto } for pid=24319 comm="glusterfsd" path="/run/gluster/.1c53557c54e8d43b89fcc316baed04a924896.sock" scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1442993617.458:61897): avc: denied { connectto } for pid=24337 comm="glusterfsd" path="/run/gluster/.7276cecc9d436837c6dcbfda8f8e2d3b24909.sock" scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket [root@georep1 scripts]# cat /var/log/audit/audit.log|audit2allow #============= glusterd_t ============== allow glusterd_t unconfined_t:unix_stream_socket connectto; [root@georep1 scripts]# Checked for the labels for the socket file in question and they are correctly labled as glusterd_var_run_t: [root@georep1 scripts]# ls -lZ /run/gluster/.7276cecc9d436837c6dcbfda8f8e2d3b24909.sock srwxr-xr-x. root root unconfined_u:object_r:glusterd_var_run_t:s0 /run/gluster/.7276cecc9d436837c6dcbfda8f8e2d3b24909.sock
Feel free to open this bug if the issue still persists and you require a fix. Closing this as WONTFIX as we are not working on this bug, and treating it as a 'TIMEOUT'.