This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1312809 - [SELinux]: Found avc of type=USER_AVC for class dbus during glusterfs-ganesha validation -RHEL7
[SELinux]: Found avc of type=USER_AVC for class dbus during glusterfs-ganesha...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
x86_64 Linux
high Severity urgent
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
Marie Dolezelova
: ZStream
Depends On:
Blocks: 1321786 1333903
  Show dependency treegraph
 
Reported: 2016-02-29 04:48 EST by Apeksha
Modified: 2016-11-03 22:43 EDT (History)
17 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-70.el7
Doc Type: Bug Fix
Doc Text:
When the nfs-ganesha server was set up on four nodes with 2X2 volume, the volume was not exported after the nfs-ganesha service was enabled. With this update, a workaround has been provided which ensures that the volume is exported as expected in the described scenario.
Story Points: ---
Clone Of: 1311911
: 1333903 (view as bug list)
Environment:
Last Closed: 2016-11-03 22:43:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Apeksha 2016-02-29 04:48:44 EST
+++ This bug was initially created as a clone of Bug #1311911 +++

Description of problem:
volume not getting exported after setting the option ganesha.enable 

Version-Release number of selected component (if applicable):
glusterfs-ganesha-3.7.8-1.el7.x86_64
nfs-ganesha-2.2.0-12.el6rhs.x86_64
glusterfs-3.7.8-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup nfs-ganesha on 4 nodes
2. Create a 2X2 volume.
3. Start the volume
4. set the volume option- ganesha.enable on. it says success, but the volume is actually not exported

Export file is present
[root@dhcp46-59 ~]# cat /etc/ganesha/exports/export.testvol.conf 
# WARNING : Using Gluster CLI will overwrite manual
# changes made to this file. To avoid it, edit the
# file and run ganesha-ha.sh --refresh-config.
EXPORT{
      Export_Id= 2 ;
      Path = "/testvol";
      FSAL {
           name = GLUSTER;
           hostname="localhost";
          volume="testvol";
           }
      Access_type = RW;
      Disable_ACL = true;
      Squash="No_root_squash";
      Pseudo="/testvol";
      Protocols = "3", "4" ;
      Transports = "UDP","TCP";
      SecType = "sys";
     }


Also ganesha.conf file has entry of this config file:
[root@dhcp46-59 ~]# cat /etc/ganesha/ganesha.conf 
###################################################
#
# EXPORT
#
# To function, all that is required is an EXPORT
#
# Define the absolute minimal export
#

#EXPORT
#{
	# Export Id (mandatory, each EXPORT must have a unique Export_Id)
#	Export_Id = 77;

	# Exported path (mandatory)
#	Path = "/testvol";

	# Pseudo Path (required for NFS v4)
#	Pseudo = "/testvol";

	# Required for access (default is None)
	# Could use CLIENT blocks instead
#	Access_Type = RW;

	# Allow root access
#	Squash = No_Root_Squash;

	# Security flavor supported
#	SecType = "sys";

	# Exporting FSAL
#	FSAL {
#		Name = "GLUSTER";
#		Hostname = localhost;
#		Volume = "testvol";
#	}
#}
#######################################################
#Create this export block in a file which has the following parameters
#in the global part. Or create a separate file with the export block
#and include in the following block.

NFS_Core_Param {
        #Use supplied name other tha IP In NSM operations
        NSM_Use_Caller_Name = true;
        #Copy lock states into "/var/lib/nfs/ganesha" dir
        Clustered = false;
        #Use a non-privileged port for RQuota
        Rquota_Port = 4501;
        MNT_Port = 20048;
        NLM_Port = 32000;
}

%include "/etc/ganesha/exports/export.vol.conf


But showmount does not show that volume is exported

Actual results:showmount does not show that volume is exported


Expected results: on setting ganesha.enable option volume should get exported


Additional info:

--- Additional comment from Apeksha on 2016-02-25 05:23:18 EST ---

After Restarting the nfs-ganesha service on all the nodes, the volume is getting exported

--- Additional comment from Jiffin on 2016-02-26 14:10:14 EST ---

IMO the issue may be related to selinux policies, in the audit log the following logs can found while enable and disabling the ganesha.enable option

type=USER_AVC msg=audit(1456522097.022:4933): pid=902 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=10631 tpid=26644 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1456521684.235:4932): pid=902 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.ganesha.nfsd.exportmgr member=RemoveExport dest=org.ganesha.nfsd spid=5403 tpid=26644 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?

I ran the wrapper script (/usr/libexec/dbus-send.sh) used by cli from the terminal with necessary parameters, the volume got exported.
for example
/usr/libexec/ganesha/dbus-send.sh /etc/ganesha/ <on/off> <volume name>

--- Additional comment from Apeksha on 2016-02-29 04:45:27 EST ---

**Steps when selinux was in enforcing mode


    [root@dhcp46-59 ~]# getenforce
    Enforcing
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# gluster v create rs 10.70.46.59:/root/brick2 force
    volume create: rs: success: please start the volume to access data
    [root@dhcp46-59 ~]# gluster v start rs
    volume start: rs: success
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# #gluster v set rs ganesha.enable on
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# grep -i "avc" /var/log/audit/audit.log
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# gluster v set rs ganesha.enable on
    volume set: success
    [root@dhcp46-59 ~]# grep -i "avc" /var/log/audit/audit.log
    type=USER_AVC msg=audit(1456767046.846:5613): pid=902 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=1613 tpid=26644 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
    [root@dhcp46-59 ~]# cat /var/log/audit/audit.log | audit2allow
     
     
    #============= glusterd_t ==============
    allow glusterd_t initrc_t:dbus send_msg;
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# showmount -e localhost
    Export list for localhost:
    /sample (everyone)
    [root@dhcp46-59 ~]#



**Steps when selinux is in permissive mode


    [root@dhcp46-59 ~]# setenforce 0
    [root@dhcp46-59 ~]# gluster v create rs1 10.70.46.59:/root/brick3 force
    volume create: rs1: success: please start the volume to access data
    [root@dhcp46-59 ~]# gluster v start rs1
    volume start: rs1: success
    [root@dhcp46-59 ~]# gluster v set rs1 ganesha.enable on
    volume set: success
    [root@dhcp46-59 ~]# showmount -e localhost
    Export list for localhost:
    /sample (everyone)
    /rs1    (everyone)
    [root@dhcp46-59 ~]# grep -i "avc" /var/log/audit/audit.log
    type=USER_AVC msg=audit(1456767046.846:5613): pid=902 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=1613 tpid=26644 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
    type=USER_AVC msg=audit(1456767084.524:5622): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
    type=USER_AVC msg=audit(1456767110.891:5623): pid=902 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=2540 tpid=26644 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
    [root@dhcp46-59 ~]# cat /var/log/audit/audit.log | audit2allow
     
     
    #============= glusterd_t ==============
    allow glusterd_t initrc_t:dbus send_msg;
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]#
    [root@dhcp46-59 ~]# rpm -qa | grep selinux-policy
    selinux-policy-3.13.1-60.el7_2.3.noarch
    selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
    [root@dhcp46-59 ~]#
Comment 2 Milos Malik 2016-03-30 07:40:37 EDT
Here is a workaround, which works in enforcing mode:

# setenforce 1
# cat bz1312809.te 
policy_module(bz1312809,1.0)

require {
  type glusterd_t;
  type initrc_t;
  class dbus { send_msg };
}

allow glusterd_t initrc_t:dbus send_msg;

# make -f /usr/share/selinux/devel/Makefile
Compiling targeted bz1312809 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1312809.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/bz1312809.mod
Creating targeted bz1312809.pp policy package
# semodule -i bz1312809.pp 
# 

The /usr/share/selinux/devel/Makefile file comes from selinux-policy-devel package.
Comment 3 Milos Malik 2016-03-30 08:41:05 EDT
Comment#2 captures output from RHEL-6.8. Here is the output from RHEL-7.2:

# cat bz1312809.te 
policy_module(bz1312809,1.0)

require {
  type glusterd_t;
  type initrc_t;
  class dbus { send_msg };
}

allow glusterd_t initrc_t:dbus { send_msg };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1312809 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1312809.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/bz1312809.mod
Creating targeted bz1312809.pp policy package
rm tmp/bz1312809.mod tmp/bz1312809.mod.fc
# semodule -i bz1312809.pp 
#
Comment 4 Shashank Raj 2016-03-31 03:08:19 EDT
Thanks for the workaround.

I verified the same on RHEL 7.2 configured RHGS nodes and it solves the problem. After applying the above policy, i am able to export the volumes.
Comment 7 Lukas Vrabec 2016-04-27 07:15:51 EDT
Hi, 
Can I get some testing machine?
Comment 16 errata-xmlrpc 2016-11-03 22:43:42 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.