1312809 – [SELinux]: Found avc of type=USER_AVC for class dbus during glusterfs-ganesha validation -RHEL7

Bug 1312809 - [SELinux]: Found avc of type=USER_AVC for class dbus during glusterfs-ganesha validation -RHEL7

Summary: [SELinux]: Found avc of type=USER_AVC for class dbus during glusterfs-ganesha...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Marie Hornickova
URL:
Whiteboard:
Depends On:
Blocks:	1321786 1333903
TreeView+	depends on / blocked

Reported:	2016-02-29 09:48 UTC by Apeksha
Modified:	2016-11-04 02:43 UTC (History)
CC List:	17 users (show)
Fixed In Version:	selinux-policy-3.13.1-70.el7
Doc Type:	Bug Fix
Doc Text:	When the nfs-ganesha server was set up on four nodes with 2X2 volume, the volume was not exported after the nfs-ganesha service was enabled. With this update, a workaround has been provided which ensures that the volume is exported as expected in the described scenario.
Clone Of:	1311911
Clones:	1333903 (view as bug list)
Environment:
Last Closed:	2016-11-04 02:43:42 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Apeksha 2016-02-29 09:48:44 UTC

+++ This bug was initially created as a clone of Bug #1311911 +++

Description of problem:
volume not getting exported after setting the option ganesha.enable 

Version-Release number of selected component (if applicable):
glusterfs-ganesha-3.7.8-1.el7.x86_64
nfs-ganesha-2.2.0-12.el6rhs.x86_64
glusterfs-3.7.8-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup nfs-ganesha on 4 nodes
2. Create a 2X2 volume.
3. Start the volume
4. set the volume option- ganesha.enable on. it says success, but the volume is actually not exported

Export file is present
[root@dhcp46-59 ~]# cat /etc/ganesha/exports/export.testvol.conf 
# WARNING : Using Gluster CLI will overwrite manual
# changes made to this file. To avoid it, edit the
# file and run ganesha-ha.sh --refresh-config.
EXPORT{
      Export_Id= 2 ;
      Path = "/testvol";
      FSAL {
           name = GLUSTER;
           hostname="localhost";
          volume="testvol";
           }
      Access_type = RW;
      Disable_ACL = true;
      Squash="No_root_squash";
      Pseudo="/testvol";
      Protocols = "3", "4" ;
      Transports = "UDP","TCP";
      SecType = "sys";
     }


Also ganesha.conf file has entry of this config file:
[root@dhcp46-59 ~]# cat /etc/ganesha/ganesha.conf 
###################################################
#
# EXPORT
#
# To function, all that is required is an EXPORT
#
# Define the absolute minimal export
#

#EXPORT
#{
	# Export Id (mandatory, each EXPORT must have a unique Export_Id)
#	Export_Id = 77;

	# Exported path (mandatory)
#	Path = "/testvol";

	# Pseudo Path (required for NFS v4)
#	Pseudo = "/testvol";

	# Required for access (default is None)
	# Could use CLIENT blocks instead
#	Access_Type = RW;

	# Allow root access
#	Squash = No_Root_Squash;

	# Security flavor supported
#	SecType = "sys";

	# Exporting FSAL
#	FSAL {
#		Name = "GLUSTER";
#		Hostname = localhost;
#		Volume = "testvol";
#	}
#}
#######################################################
#Create this export block in a file which has the following parameters
#in the global part. Or create a separate file with the export block
#and include in the following block.

NFS_Core_Param {
        #Use supplied name other tha IP In NSM operations
        NSM_Use_Caller_Name = true;
        #Copy lock states into "/var/lib/nfs/ganesha" dir
        Clustered = false;
        #Use a non-privileged port for RQuota
        Rquota_Port = 4501;
        MNT_Port = 20048;
        NLM_Port = 32000;
}

%include "/etc/ganesha/exports/export.vol.conf


But showmount does not show that volume is exported

Actual results:showmount does not show that volume is exported


Expected results: on setting ganesha.enable option volume should get exported


Additional info:

--- Additional comment from Apeksha on 2016-02-25 05:23:18 EST ---

After Restarting the nfs-ganesha service on all the nodes, the volume is getting exported

--- Additional comment from Jiffin on 2016-02-26 14:10:14 EST ---

IMO the issue may be related to selinux policies, in the audit log the following logs can found while enable and disabling the ganesha.enable option

type=USER_AVC msg=audit(1456522097.022:4933): pid=902 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=10631 tpid=26644 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1456521684.235:4932): pid=902 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.ganesha.nfsd.exportmgr member=RemoveExport dest=org.ganesha.nfsd spid=5403 tpid=26644 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?

I ran the wrapper script (/usr/libexec/dbus-send.sh) used by cli from the terminal with necessary parameters, the volume got exported.
for example
/usr/libexec/ganesha/dbus-send.sh /etc/ganesha/ <on/off> <volume name>

--- Additional comment from Apeksha on 2016-02-29 04:45:27 EST ---

**Steps when selinux was in enforcing mode


    [root@dhcp46-59 ~]# getenforce
    Enforcing
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# gluster v create rs 10.70.46.59:/root/brick2 force
    volume create: rs: success: please start the volume to access data
    [root@dhcp46-59 ~]# gluster v start rs
    volume start: rs: success
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# #gluster v set rs ganesha.enable on
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# grep -i "avc" /var/log/audit/audit.log
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# gluster v set rs ganesha.enable on
    volume set: success
    [root@dhcp46-59 ~]# grep -i "avc" /var/log/audit/audit.log
    type=USER_AVC msg=audit(1456767046.846:5613): pid=902 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=1613 tpid=26644 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
    [root@dhcp46-59 ~]# cat /var/log/audit/audit.log | audit2allow
     
     
    #============= glusterd_t ==============
    allow glusterd_t initrc_t:dbus send_msg;
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# showmount -e localhost
    Export list for localhost:
    /sample (everyone)
    [root@dhcp46-59 ~]#



**Steps when selinux is in permissive mode


    [root@dhcp46-59 ~]# setenforce 0
    [root@dhcp46-59 ~]# gluster v create rs1 10.70.46.59:/root/brick3 force
    volume create: rs1: success: please start the volume to access data
    [root@dhcp46-59 ~]# gluster v start rs1
    volume start: rs1: success
    [root@dhcp46-59 ~]# gluster v set rs1 ganesha.enable on
    volume set: success
    [root@dhcp46-59 ~]# showmount -e localhost
    Export list for localhost:
    /sample (everyone)
    /rs1    (everyone)
    [root@dhcp46-59 ~]# grep -i "avc" /var/log/audit/audit.log
    type=USER_AVC msg=audit(1456767046.846:5613): pid=902 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=1613 tpid=26644 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
    type=USER_AVC msg=audit(1456767084.524:5622): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
    type=USER_AVC msg=audit(1456767110.891:5623): pid=902 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=2540 tpid=26644 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
    [root@dhcp46-59 ~]# cat /var/log/audit/audit.log | audit2allow
     
     
    #============= glusterd_t ==============
    allow glusterd_t initrc_t:dbus send_msg;
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# rpm -qa | grep selinux-policy
    selinux-policy-3.13.1-60.el7_2.3.noarch
    selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
    [root@dhcp46-59 ~]#

Comment 2 Milos Malik 2016-03-30 11:40:37 UTC

Here is a workaround, which works in enforcing mode:

# setenforce 1
# cat bz1312809.te 
policy_module(bz1312809,1.0)

require {
  type glusterd_t;
  type initrc_t;
  class dbus { send_msg };
}

allow glusterd_t initrc_t:dbus send_msg;

# make -f /usr/share/selinux/devel/Makefile
Compiling targeted bz1312809 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1312809.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1312809.mod
Creating targeted bz1312809.pp policy package
# semodule -i bz1312809.pp 
# 

The /usr/share/selinux/devel/Makefile file comes from selinux-policy-devel package.

Comment 3 Milos Malik 2016-03-30 12:41:05 UTC

Comment#2 captures output from RHEL-6.8. Here is the output from RHEL-7.2:

# cat bz1312809.te 
policy_module(bz1312809,1.0)

require {
  type glusterd_t;
  type initrc_t;
  class dbus { send_msg };
}

allow glusterd_t initrc_t:dbus { send_msg };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1312809 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1312809.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/bz1312809.mod
Creating targeted bz1312809.pp policy package
rm tmp/bz1312809.mod tmp/bz1312809.mod.fc
# semodule -i bz1312809.pp 
#

Comment 4 Shashank Raj 2016-03-31 07:08:19 UTC

Thanks for the workaround.

I verified the same on RHEL 7.2 configured RHGS nodes and it solves the problem. After applying the above policy, i am able to export the volumes.

Comment 7 Lukas Vrabec 2016-04-27 11:15:51 UTC

Hi, 
Can I get some testing machine?

Comment 16 errata-xmlrpc 2016-11-04 02:43:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.