1331559 – [SELinux]: Cases in pynfs test suite fails because of selinux errors on RHEL 7 based RHGS.

Bug 1331559 - [SELinux]: Cases in pynfs test suite fails because of selinux errors on RHEL 7 based RHGS.

Summary: [SELinux]: Cases in pynfs test suite fails because of selinux errors on RHEL ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	nfs-ganesha
Sub Component:
Version:	rhgs-3.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	RHGS 3.2.0
Assignee:	Soumya Koduri
QA Contact:	surabhi
Docs Contact:
URL:
Whiteboard:
Depends On:	1331561 1372191
Blocks:	1311843 1351522
TreeView+	depends on / blocked

Reported:	2016-04-28 19:37 UTC by Shashank Raj
Modified:	2023-09-14 03:21 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, SELinux blocked the gluster brick processes to create non-regular socket files. Due to this, users were unable to create socket type files on gluster volume. With this fix, SELinux rules have been added to provide relevant permissions to gluster brick process and files of type socket can be created on nfs mount of gluster volumes.
Clone Of:
Clones:	1331561 1331585 1380695 (view as bug list)
Environment:
Last Closed:	2017-03-23 06:22:08 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:0493	0	normal	SHIPPED_LIVE	Red Hat Gluster Storage 3.2.0 nfs-ganesha bug fix and enhancement update	2017-03-23 09:19:13 UTC

Description Shashank Raj 2016-04-28 19:37:52 UTC

Description of problem:

Cases in pynfs test suite fails because of selinux errors.

Version-Release number of selected component (if applicable):

nfs-ganesha-2.3.1-4

selinux-policy-3.13.1-60.el7_2.3.noarch
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
selinux-policy-devel-3.13.1-60.el7_2.3.noarch

How reproducible:

Always

Steps to Reproduce:

1. Configure nfs-ganesha on a 4 node cluster.
2. Create a dist-rep volume and enable ganesha on it
3. From the client start executing pynfs test suite on the volume

Observe that some of the cases fails and some of them are skipped 

LOOKSOCK st_lookup.testSocket                                     : FAILURE
           LOOKUP of /testvolume/tree/socket should return
           NFS4_OK, instead got NFS4ERR_NOENT

MKSOCK   st_create.testSocket                                     : FAILURE
           CREATE in empty dir should return NFS4_OK, instead got
           NFS4ERR_ACCESS


ACC1s    st_access.testReadSocket                                 : OMIT
           Dependency LOOKSOCK st_lookup.testSocket had status
           FAILURE.


RM1s     st_remove.testSocket                                     : OMIT
           Dependency MKSOCK st_create.testSocket had status
           FAILURE.

4. Observe in /var/log/audit/audit.log, below AVC's are seen which are the cause for the failure of cases in pynfs test suite

type=AVC msg=audit(1461832513.298:1309): avc:  denied  { create } for  pid=4043 comm="glusterfsd" name="socket" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file

type=AVC msg=audit(1461832513.199:1325): avc:  denied  { setattr } for  pid=699 comm="glusterfsd" name="socket" dev="dm-44" ino=125829442 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file

type=AVC msg=audit(1461832513.199:1326): avc:  denied  { link } for  pid=699 comm="glusterfsd" name="socket" dev="dm-44" ino=125829442 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file

type=AVC msg=audit(1461833178.616:1327): avc:  denied  { unlink } for  pid=3214 comm="glusterfsd" name="18903b90-4434-4eb6-984a-38622c33dda0" dev="dm-38" ino=125838859 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file

type=AVC msg=audit(1461833054.196:1018): avc:  denied  { create } for  pid=1669 comm="glusterfsd" name="MKSOCK" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file

type=AVC msg=audit(1461833054.197:1019): avc:  denied  { setattr } for  pid=1669 comm="glusterfsd" name="MKSOCK" dev="dm-45" ino=25175586 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file

type=AVC msg=audit(1461833054.197:1020): avc:  denied  { link } for  pid=1669 comm="glusterfsd" name="MKSOCK" dev="dm-45" ino=25175586 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file

type=AVC msg=audit(1461833503.077:1021): avc:  denied  { unlink } for  pid=4997 comm="glusterfsd" name="b3b58755-75c0-4839-863d-8cac4d9999d3" dev="dm-42" ino=33554710 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_brick_t:s0 tclass=sock_file

Actual results:

Cases in pynfs test suite fails because of selinux errors.

Expected results:

No denial AVC's should be seen and it should not effect any functionality

Additional info:

Comment 6 Shashank Raj 2016-05-30 13:12:05 UTC

Since this bug has still not been approved for 7.2.z update and we don't have selinux builds for 3.1.3, verification of this bug is still pending and will be taken care once we get the required builds.

Comment 14 Atin Mukherjee 2016-11-07 13:38:19 UTC

Given BZ 1372191 has been already fixed, moving this BZ to ON_QA

Comment 17 surabhi 2016-11-17 09:49:52 UTC

I am still seeing the AVC's mentioned in bz description with latest build.

if I see the RHEL cloned BZ https://bugzilla.redhat.com/show_bug.cgi?id=1372191 it shows as fixed, what could be the reason that we are still hitting it in rhgs?

the additional avc's are :

type=SYSCALL msg=audit(11/17/2016 13:27:08.051:18981) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x7f48ac5db510 a1=block,755 a2=0x102 a3=0x7f48dbcecb70 items=0 ppid=1 pid=25498 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=glusterfsd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(11/17/2016 13:27:08.051:18981) : avc:  denied  { create } for  pid=25498 comm=glusterfsd name=MKBLK scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=blk_file 
----
type=SYSCALL msg=audit(11/17/2016 13:27:08.071:18982) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x7f48ac6dc510 a1=fifo,755 a2=0x0 a3=0x7f48dbcecb70 items=0 ppid=1 pid=20642 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=glusterfsd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(11/17/2016 13:27:08.071:18982) : avc:  denied  { create } for  pid=20642 comm=glusterfsd name=MKFIFO scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=fifo_file 


type=SYSCALL msg=audit(11/17/2016 13:18:09.203:18908) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x7fb4ad3d5510 a1=character,755 a2=0x102 a3=0x7fb4d88f0b70 items=0 ppid=1 pid=14853 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=glusterfsd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(11/17/2016 13:18:09.203:18908) : avc:  denied  { create } for  pid=14853 comm=glusterfsd name=char scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=chr_file 

Marking the BZ to assigned.

Comment 18 surabhi 2016-11-18 11:27:24 UTC

Verified it on a fresh setup with all selinux context set and no avc's are seen with pynfs test suite.

Will move BZ to verified once it is moved to on_QA

Comment 19 surabhi 2016-11-18 11:31:05 UTC

Verified it with latest build. NO SELinux AVC's are seen and pynfs test suite is passing on latest setup.

Marking the BZ verified.

Comment 20 Bhavana 2017-03-08 07:22:07 UTC

Edited the doc text for the errata.

Comment 22 errata-xmlrpc 2017-03-23 06:22:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2017-0493.html

Comment 23 Red Hat Bugzilla 2023-09-14 03:21:48 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.