Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1343925 - [SELinux]: kerberos mount fails with selinux denials in audit logs (el7)
Summary: [SELinux]: kerberos mount fails with selinux denials in audit logs (el7)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: nfs-ganesha
Version: rhgs-3.1
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
: RHGS 3.1.3
Assignee: Bug Updates Notification Mailing List
QA Contact: Shashank Raj
Marie Hornickova
URL:
Whiteboard:
Depends On: 1344630
Blocks: 1311817
TreeView+ depends on / blocked
 
Reported: 2016-06-08 10:42 UTC by Shashank Raj
Modified: 2016-11-08 03:52 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.13.1-60.el7_2.7
Doc Type: If docs needed, set a value
Doc Text:
When the nfs-ganesha server was set up with a volume, and an attempt to mount this volume on a client within the Kerberos network was made, SELinux denied this Kerberos mount. This update ensures that the Gluster SELinux domain can read the Kerberos keytab files. As a result, the Kerberos mount is successful in the described scenario.
Clone Of:
: 1343929 (view as bug list)
Environment:
Last Closed: 2016-06-23 05:34:02 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:1247 0 normal SHIPPED_LIVE nfs-ganesha update for Red Hat Gluster Storage 3.1 update 3 2016-06-23 09:12:43 UTC

Description Shashank Raj 2016-06-08 10:42:17 UTC
Description of problem:

kerberos mount fails with selinux denials in audit logs.

Version-Release number of selected component (if applicable):

nfs-ganesha-2.3.1-7

How reproducible:

Always

Steps to Reproduce:
1. Create a ganesha and kerberos setup.
2. Create a volume, export it via ganesha.
3. Edit the Sectype parameter as krb5 and try mounting the volume on the client
4. Observe that the kerberos mount fails with below message:

[root@dhcp42-130 ~]# mount -t nfs -o sec=krb5 dhcp42-142.lab.eng.blr.redhat.com:/testvolume /mnt
mount.nfs: access denied by server while mounting dhcp42-142.lab.eng.blr.redhat.com:/testvolume

and following AVC's are seen in audit.log (in enforcing mode):

type=AVC msg=audit(1465381707.050:4787): avc:  denied  { read } for  pid=12550 comm="ganesha.nfsd" name="krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1465381707.050:4787): arch=c000003e syscall=2 success=no exit=-13 a0=7fbe0c183a80 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=12550 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1465381707.053:4788): avc:  denied  { read } for  pid=4911 comm="ganesha.nfsd" name="krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1465381707.053:4788): arch=c000003e syscall=2 success=no exit=-13 a0=7fbe0c183a80 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=4911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1465381707.055:4789): avc:  denied  { read } for  pid=12550 comm="ganesha.nfsd" name="krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1465381707.055:4789): arch=c000003e syscall=2 success=no exit=-13 a0=7fbe0c183a80 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=12550 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1465381707.058:4790): avc:  denied  { read } for  pid=4911 comm="ganesha.nfsd" name="krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1465381707.058:4790): arch=c000003e syscall=2 success=no exit=-13 a0=7fbe0c183a80 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=4911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1465381707.070:4791): avc:  denied  { read } for  pid=12550 comm="ganesha.nfsd" name="krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1465381707.070:4791): arch=c000003e syscall=2 success=no exit=-13 a0=7fbe0c183a80 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=12550 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1465381707.073:4792): avc:  denied  { read } for  pid=4911 comm="ganesha.nfsd" name="krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1465381707.073:4792): arch=c000003e syscall=2 success=no exit=-13 a0=7fbe0c183a80 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=4911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1465381708.252:4793): avc:  denied  { read } for  pid=4911 comm="ganesha.nfsd" name="krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file


In permissive mode the volume gets mounted without any issues but below AVC's are seen in audit.log

type=AVC msg=audit(1465382280.091:4826): avc:  denied  { read } for  pid=4911 comm="ganesha.nfsd" name="krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=AVC msg=audit(1465382280.091:4826): avc:  denied  { open } for  pid=4911 comm="ganesha.nfsd" path="/etc/krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1465382280.091:4826): arch=c000003e syscall=2 success=yes exit=69 a0=7fbe0c183a80 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=4911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1465382280.091:4827): avc:  denied  { lock } for  pid=4911 comm="ganesha.nfsd" path="/etc/krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1465382280.091:4827): arch=c000003e syscall=72 success=yes exit=0 a0=45 a1=7 a2=7fbe1d0f08c0 a3=1 items=0 ppid=1 pid=4911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1465382280.095:4828): avc:  denied  { setfscreate } for  pid=4911 comm="ganesha.nfsd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=process
type=SYSCALL msg=audit(1465382280.095:4828): arch=c000003e syscall=1 success=yes exit=40 a0=46 a1=7fbe0c2c7e40 a2=28 a3=636163725f74736f items=0 ppid=1 pid=4911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)

type=AVC msg=audit(1465382439.611:4837): avc:  denied  { read } for  pid=4911 comm="ganesha.nfsd" name="krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=AVC msg=audit(1465382439.611:4837): avc:  denied  { open } for  pid=4911 comm="ganesha.nfsd" path="/etc/krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1465382439.611:4837): arch=c000003e syscall=2 success=yes exit=75 a0=7fbe0c183a80 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=4911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1465382439.611:4838): avc:  denied  { lock } for  pid=4911 comm="ganesha.nfsd" path="/etc/krb5.keytab" dev="dm-0" ino=34326612 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1465382439.611:4838): arch=c000003e syscall=72 success=yes exit=0 a0=4b a1=7 a2=7fbe1d0f08c0 a3=1 items=0 ppid=1 pid=4911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)

Actual results:

kerberos mount fails with selinux denials in audit logs.

Expected results:

There should not be any AVC denial messages and kerberos mount should be successful.

Additional info:

Comment 2 Shashank Raj 2016-06-08 10:43:28 UTC
Since this will not allow volumes to be mounted using kerberos. raising a blocker flag.

Comment 11 Shashank Raj 2016-06-10 14:01:14 UTC
Verified the bug with latest builds as below:

[root@dhcp42-142 ~]# rpm -qa|grep glusterfs
glusterfs-3.7.9-10.el7rhgs.x86_64
glusterfs-rdma-3.7.9-10.el7rhgs.x86_64
glusterfs-libs-3.7.9-10.el7rhgs.x86_64
glusterfs-client-xlators-3.7.9-10.el7rhgs.x86_64
glusterfs-fuse-3.7.9-10.el7rhgs.x86_64
glusterfs-server-3.7.9-10.el7rhgs.x86_64
glusterfs-geo-replication-3.7.9-10.el7rhgs.x86_64
glusterfs-debuginfo-3.7.9-10.el7rhgs.x86_64
glusterfs-api-3.7.9-10.el7rhgs.x86_64
glusterfs-cli-3.7.9-10.el7rhgs.x86_64
glusterfs-ganesha-3.7.9-10.el7rhgs.x86_64

[root@dhcp42-142 ~]# rpm -qa|grep ganesha
nfs-ganesha-2.3.1-8.el7rhgs.x86_64
nfs-ganesha-gluster-2.3.1-8.el7rhgs.x86_64
glusterfs-ganesha-3.7.9-10.el7rhgs.x86_64

[root@dhcp42-142 ~]# rpm -qa|grep selinux
selinux-policy-3.13.1-60.el7_2.7.noarch
selinux-policy-devel-3.13.1-60.el7_2.7.noarch
selinux-policy-targeted-3.13.1-60.el7_2.7.noarch

No issues are seen while mounting the volume with kerberos; mounts from all the kerberos flavors are successful:

dhcp42-142.lab.eng.blr.redhat.com:/testvolume on /mnt type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=10.70.42.130,local_lock=none,addr=10.70.42.142)

dhcp42-142.lab.eng.blr.redhat.com:/testvolume on /mnt type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5i,clientaddr=10.70.42.130,local_lock=none,addr=10.70.42.142)

dhcp42-142.lab.eng.blr.redhat.com:/testvolume on /mnt type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=10.70.42.130,local_lock=none,addr=10.70.42.142)

No Denial AVC's are seen in any case.

based on the above observation, marking this bug as Verified.

Comment 13 errata-xmlrpc 2016-06-23 05:34:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2016:1247


Note You need to log in before you can comment on or make changes to this bug.