Description of problem: Cases in pynfs test suite fails because of selinux errors. Version-Release number of selected component (if applicable): nfs-ganesha-2.3.1-4 selinux-policy-3.13.1-60.el7_2.3.noarch selinux-policy-targeted-3.13.1-60.el7_2.3.noarch selinux-policy-devel-3.13.1-60.el7_2.3.noarch How reproducible: Always Steps to Reproduce: 1. Configure nfs-ganesha on a 4 node cluster. 2. Create a dist-rep volume and enable ganesha on it 3. From the client start executing pynfs test suite on the volume Observe that some of the cases fails and some of them are skipped LOOKSOCK st_lookup.testSocket : FAILURE LOOKUP of /testvolume/tree/socket should return NFS4_OK, instead got NFS4ERR_NOENT MKSOCK st_create.testSocket : FAILURE CREATE in empty dir should return NFS4_OK, instead got NFS4ERR_ACCESS ACC1s st_access.testReadSocket : OMIT Dependency LOOKSOCK st_lookup.testSocket had status FAILURE. RM1s st_remove.testSocket : OMIT Dependency MKSOCK st_create.testSocket had status FAILURE. 4. Observe in /var/log/audit/audit.log, below AVC's are seen which are the cause for the failure of cases in pynfs test suite type=AVC msg=audit(1461832513.298:1309): avc: denied { create } for pid=4043 comm="glusterfsd" name="socket" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1461832513.199:1325): avc: denied { setattr } for pid=699 comm="glusterfsd" name="socket" dev="dm-44" ino=125829442 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1461832513.199:1326): avc: denied { link } for pid=699 comm="glusterfsd" name="socket" dev="dm-44" ino=125829442 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1461833178.616:1327): avc: denied { unlink } for pid=3214 comm="glusterfsd" name="18903b90-4434-4eb6-984a-38622c33dda0" dev="dm-38" ino=125838859 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1461833054.196:1018): avc: denied { create } for pid=1669 comm="glusterfsd" name="MKSOCK" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1461833054.197:1019): avc: denied { setattr } for pid=1669 comm="glusterfsd" name="MKSOCK" dev="dm-45" ino=25175586 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1461833054.197:1020): avc: denied { link } for pid=1669 comm="glusterfsd" name="MKSOCK" dev="dm-45" ino=25175586 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file type=AVC msg=audit(1461833503.077:1021): avc: denied { unlink } for pid=4997 comm="glusterfsd" name="b3b58755-75c0-4839-863d-8cac4d9999d3" dev="dm-42" ino=33554710 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file Actual results: Cases in pynfs test suite fails because of selinux errors. Expected results: No denial AVC's should be seen and it should not effect any functionality Additional info:
Since this bug has still not been approved for 7.2.z update and we don't have selinux builds for 3.1.3, verification of this bug is still pending and will be taken care once we get the required builds.
Given BZ 1372191 has been already fixed, moving this BZ to ON_QA
I am still seeing the AVC's mentioned in bz description with latest build. if I see the RHEL cloned BZ https://bugzilla.redhat.com/show_bug.cgi?id=1372191 it shows as fixed, what could be the reason that we are still hitting it in rhgs? the additional avc's are : type=SYSCALL msg=audit(11/17/2016 13:27:08.051:18981) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x7f48ac5db510 a1=block,755 a2=0x102 a3=0x7f48dbcecb70 items=0 ppid=1 pid=25498 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=glusterfsd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(11/17/2016 13:27:08.051:18981) : avc: denied { create } for pid=25498 comm=glusterfsd name=MKBLK scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=blk_file ---- type=SYSCALL msg=audit(11/17/2016 13:27:08.071:18982) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x7f48ac6dc510 a1=fifo,755 a2=0x0 a3=0x7f48dbcecb70 items=0 ppid=1 pid=20642 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=glusterfsd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(11/17/2016 13:27:08.071:18982) : avc: denied { create } for pid=20642 comm=glusterfsd name=MKFIFO scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=fifo_file type=SYSCALL msg=audit(11/17/2016 13:18:09.203:18908) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x7fb4ad3d5510 a1=character,755 a2=0x102 a3=0x7fb4d88f0b70 items=0 ppid=1 pid=14853 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=glusterfsd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(11/17/2016 13:18:09.203:18908) : avc: denied { create } for pid=14853 comm=glusterfsd name=char scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=chr_file Marking the BZ to assigned.
Verified it on a fresh setup with all selinux context set and no avc's are seen with pynfs test suite. Will move BZ to verified once it is moved to on_QA
Verified it with latest build. NO SELinux AVC's are seen and pynfs test suite is passing on latest setup. Marking the BZ verified.
Edited the doc text for the errata.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0493.html
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days