1369006 – Gluster Volume is not getting exported after enabling ganesha on the volume

Bug 1369006 - Gluster Volume is not getting exported after enabling ganesha on the volume

Summary: Gluster Volume is not getting exported after enabling ganesha on the volume

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	GlusterFS
Classification:	Community
Component:	ganesha-nfs
Sub Component:
Version:	3.8.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	bugs@gluster.org
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-22 10:25 UTC by Shashank Raj
Modified:	2016-11-08 03:53 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-09-06 06:53:38 UTC
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Shashank Raj 2016-08-22 10:25:03 UTC

Description of problem:

[SELinux]: Volume is not getting exported after enabling ganesha on the volume.

Version-Release number of selected component (if applicable):

[root@dhcp43-116 exports]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

[root@dhcp43-116 exports]# rpm -qa|grep glusterfs
glusterfs-fuse-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-libs-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-client-xlators-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-api-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-cli-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-server-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-geo-replication-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-ganesha-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64

[root@dhcp43-116 exports]# rpm -qa|grep ganesha
nfs-ganesha-gluster-next.20160813.2f47e8a-1.el7.centos.x86_64
nfs-ganesha-next.20160813.2f47e8a-1.el7.centos.x86_64
nfs-ganesha-debuginfo-next.20160813.2f47e8a-1.el7.centos.x86_64
glusterfs-ganesha-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64

[root@dhcp43-116 exports]# rpm -qa|grep selinux
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-60.el7_2.7.noarch
libselinux-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-60.el7_2.7.noarch


How reproducible:

Always

Steps to Reproduce:

1. Create a volume and start it

[root@dhcp43-116 ~]# gluster volume create myvolume replica 2 10.70.43.116:/bricks/brick0/b0 10.70.43.88:/bricks/brick0/b0 10.70.42.47:/bricks/brick0/b0 10.70.42.237:/bricks/brick0/b0 
volume create: myvolume: success: please start the volume to access data

[root@dhcp43-116 ~]# gluster vol start myvolume
volume start: myvolume: success

2. Enable ganesha on the volume

[root@dhcp43-116 ~]# gluster vol set myvolume ganesha.enable on
volume set: success

3. Observe that export file gets created under /etc/ganesha/exports

[root@dhcp43-116 ~]# cd /etc/ganesha/exports/
[root@dhcp43-116 exports]# ls
export.myvolume.conf

4. But showmount -e localhost doesn't show the exported volume.

[root@dhcp43-116 exports]# showmount -e localhost
Export list for localhost:

5. Following denial AVC's are seen in audit.log

type=USER_AVC msg=audit(1471880435.035:5194): pid=649 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=17041 tpid=9169 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1471880506.444:5196): pid=649 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.ganesha.nfsd.exportmgr member=RemoveExport dest=org.ganesha.nfsd spid=17605 tpid=9169 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


Actual results:

Volume is not getting exported after enabling ganesha on the volume.

Expected results:

There should not be any denial AVC's and volume should get exported without any issues.

Additional info:

Comment 1 Niels de Vos 2016-08-22 11:04:26 UTC

Moving to RHEL-7 + selinux-policy. Gluster or Ganesha can not fix this by itself.

Comment 4 Shashank Raj 2016-08-23 09:00:34 UTC

Hi Lukas,

this bug is filed wrt 7.2 and even for 7.2 i think its fixed with selinux-policy-3.13.1-60.el7_2.7.

Can you just confirm that?

We suspect this has to do something with how nfs-ganesha is being brought up in the system.

selinux context on the machine where we see this issue:

[root@dhcp43-116 ~]# ps -eafZ | grep ganesha
system_u:system_r:initrc_t:s0   root      9169     1 13 19:37 ?        00:18:20 /usr/bin/ganesha.nfsd -L /var/log/ganesha.log -f /etc/ganesha/ganesha.conf -N NIV_EVENT

selinux context on the machine where this is fixed:

[root@dhcp43-208 ~]# ps -eafZ | grep ganesha

system_u:system_r:glusterd_t:s0 root     10202     1 25 Jul25 ?        7-02:53:34 /usr/bin/ganesha.nfsd -L /var/log/ganesha.log -f /etc/ganesha/ganesha.conf -N NIV_EVENT -E 6311201610069442560

Once you confirm, that it is fixed with 7.2 as well, i will move it back to the appropriate component.

Comment 6 Shashank Raj 2016-08-23 11:15:53 UTC

Thanks Lukas.

Based on comment 3,4 and 5, moving the fields back to original.

Comment 7 Shashank Raj 2016-08-24 08:14:31 UTC

Tried the same with nfs-ganesha 2.3 packages and no selinux issue related to exporting volume is seen.

[root@dhcp43-116 exports]# rpm -qa|grep ganesha
nfs-ganesha-2.3.3-1.el7.x86_64
glusterfs-ganesha-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
nfs-ganesha-gluster-2.3.3-1.el7.x86_64

Comment 8 Shashank Raj 2016-09-01 09:25:41 UTC

This issue is not seen in testing with the latest gluster and ganesha builds.

Below packages have been used and tested:

glusterfs-geo-replication-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-api-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-fuse-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-server-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-libs-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-client-xlators-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-ganesha-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-cli-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-debuginfo-3.8.3-0.6.git7956718.el7.centos.x86_64
glusterfs-3.8.3-0.6.git7956718.el7.centos.x86_64

[root@dhcp43-116 ~]# rpm -qa|grep ganesha
nfs-ganesha-gluster-next.20160827.7641daf-1.el7.centos.x86_64
glusterfs-ganesha-3.8.3-0.6.git7956718.el7.centos.x86_64
nfs-ganesha-debuginfo-next.20160827.7641daf-1.el7.centos.x86_64
nfs-ganesha-next.20160827.7641daf-1.el7.centos.x86_64

Comment 9 Jiffin 2016-09-06 06:51:14 UTC

Can u please close this bug?

Comment 10 Shashank Raj 2016-09-06 06:53:38 UTC

Based on comment 8 since this issue is not seen with latest gluster and ganesha builds, closing this bug.

Note You need to log in before you can comment on or make changes to this bug.