Bug 1382319 - [RHEL6] SELinux prevents FUSE mounting of RDMA transport type volumes
Summary: [RHEL6] SELinux prevents FUSE mounting of RDMA transport type volumes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: rdma
Version: rhgs-3.1
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: RHGS 3.2.0
Assignee: Anoop C S
QA Contact: Byreddy
URL:
Whiteboard:
Depends On: 1388582
Blocks: 1351528
TreeView+ depends on / blocked
 
Reported: 2016-10-06 11:02 UTC by Anoop C S
Modified: 2017-03-23 05:10 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1384487 (view as bug list)
Environment:
Last Closed: 2017-03-23 05:10:31 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1384487 None None None Never
Red Hat Product Errata RHSA-2017:0484 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update 2017-03-23 09:06:37 UTC

Internal Links: 1384487

Description Anoop C S 2016-10-06 11:02:44 UTC
Description of problem:
GlusterFS volumes of RDMA transport fails to fuse mount with following AVCs seen from audit logs:

type=AVC msg=audit(1475736079.350:10478): avc:  denied  { ipc_lock } for  pid=2686 comm="glusterfs" capability=14  scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability
type=AVC msg=audit(1475736154.614:10485): avc:  denied  { ipc_lock } for  pid=2309 comm="glusterd" capability=14  scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
Red Hat Gluster Storage Server 3.1 Update 3
Red Hat Enterprise Linux Server release 6.8 (Santiago)

How reproducible:
Always

Steps to Reproduce:
1. Set up RDMA stack based on IPoIB.
2. Make sure that SELinux mode is set to 'Enforcing'.
3. Create a simple 1 brick volume with transport type RDMA
4. Start the volume
5. Try fuse mounting the volume

Actual results:
Mount failed. Please check the log file for more details.

Expected results:
Mount should be successful.

Additional info:
mount log snippet
-----------------
[2016-10-06 07:20:48.678876] W [MSGID: 103071] [rdma.c:1294:gf_rdma_cm_event_handler] 0-vol-client-0: cma event RDMA_CM_EVENT_REJECTED, error 28 (me:192.168.1.6:1023 peer:192.168.1.6:24008)

Note:- Changing SELinux mode to permissive solves the issue.

Comment 4 Byreddy 2016-11-11 09:56:55 UTC
Verified this bug using:
RHGS: glusterfs-3.8.4-3.
RHEL: RHEL6.8 
Selinux version: 3.7.19-303.el6

Reported issue not seen with above packages versions.


"Verification details":

Result with selinux build: 3.7.19-292.el6 // Issue reproduced.
=========================================

AVC messages:
-------------
type=AVC msg=audit(1478855876.567:386280): avc:  denied  { ipc_lock } for  pid=16127 comm="glusterd" capability=14  scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability
type=AVC msg=audit(1478855876.567:386280): avc:  denied  { ipc_lock } for  pid=16127 comm="glusterd" capability=14  scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability
[root@rhs-cli-10 ~]# 


Mount failure and messages in mount log:
----------------------------------------
~]# mount -t glusterfs 192.168.1.6:/Dis /mnt
Mount failed. Please check the log file for more details.


[2016-11-11 09:17:56.572425] W [MSGID: 103071] [rdma.c:1294:gf_rdma_cm_event_handler] 0-Dis-client-0: cma event RDMA_CM_EVENT_REJECTED, error 28 (me:192.168.1.6:1021 peer:192.168.1.6:24008)

[2016-11-11 09:18:00.750010] W [MSGID: 103071] [rdma.c:1294:gf_rdma_cm_event_handler] 0-Dis-client-1: cma event RDMA_CM_EVENT_REJECTED, error 28 (me:192.168.1.6:1020 peer:192.168.1.6:24008)



Result with selinux build: 3.7.19-303.el6 // Issue not seen
=========================================
[root@rhs-cli-10 ~]# 
[root@rhs-cli-10 ~]# mount -t glusterfs 192.168.1.6:/Dis /mnt
[root@rhs-cli-10 ~]# 


Mount happened and no unexpected messages in mount log and audit log.

Moving to verified state.

Comment 8 errata-xmlrpc 2017-03-23 05:10:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0484.html


Note You need to log in before you can comment on or make changes to this bug.