1382345 – [RHEL7] SELinux prevents starting of RDMA transport type volumes

Bug 1382345 - [RHEL7] SELinux prevents starting of RDMA transport type volumes

Summary: [RHEL7] SELinux prevents starting of RDMA transport type volumes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	rdma
Sub Component:
Version:	rhgs-3.1
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	RHGS 3.2.0
Assignee:	Anoop C S
QA Contact:	Anil Shah
Docs Contact:
URL:
Whiteboard:
Depends On:	1386620
Blocks:	1351528
TreeView+	depends on / blocked

Reported:	2016-10-06 12:21 UTC by Anoop C S
Modified:	2017-03-23 06:08 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1384488 (view as bug list)
Environment:
Last Closed:	2017-03-23 06:08:46 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1384488	0	high	CLOSED	[RHEL7] SELinux prevents starting of RDMA transport type volumes	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHSA-2017:0486	0	normal	SHIPPED_LIVE	Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update	2017-03-23 09:18:45 UTC

Internal Links: 1384488

Description Anoop C S 2016-10-06 12:21:15 UTC

Description of problem:
GlusterFS volumes with RDMA transport type fails to start on issuing `gluster volume start <VOLNAME>` when SELinux set to 'Enforcing' mode. Even though `gluster volume start <VOLNAME> force` succeeds, brick processes are never brought up.

Following that changed SELinux mode to permissive and volume start followed by FUSE mounting worked as expected with the following AVCs:

type=AVC msg=audit(1475755220.412:356): avc:  denied  { read write } for  pid=8325 comm="glusterfsd" name="rdma_cm" dev="devtmpfs" ino=16130 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file
type=AVC msg=audit(1475755220.412:356): avc:  denied  { open } for  pid=8325 comm="glusterfsd" path="/dev/infiniband/rdma_cm" dev="devtmpfs" ino=16130 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file
type=AVC msg=audit(1475755220.929:357): avc:  denied  { ipc_lock } for  pid=8367 comm="glusterfs" capability=14  scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
Red Hat Gluster Storage Server 3.1 Update 3
Red Hat Enterprise Linux Server release 7.2 (Maipo)

How reproducible:
Always

Steps to Reproduce:
1. Set up RDMA stack based on IPoIB.
2. Make sure that SELinux mode is set to 'Enforcing'.
3. Create a simple 1 brick volume with transport type RDMA.
4. Try to start the volume.
5. Alternatively force start the volume.
6. Check volume status and search for AVCs in audit log.
7. Set SELinux to permissive mode.
8. Stop and start the volume.
9. Try FUSE mounting the volume.
10. Search for AVCs in audit log.

Actual results:
SELinux in Enforcing mode
-------------------------
volume start: <VOLNAME>: failed: Commit failed on localhost. Please check log file for details.
Mount failed. Please check the log file for more details.

SELinux in Permissive mode
-------------------------
volume start: <VOLNAME>: success
Mount was successful
AVCs listed in description were seen

Expected results:
Whether SELinux is in Enforcing or Permissive mode
volume start: <VOLNAME>: success
Mount should be successful
and no AVCs must be present in audit logs

Additional info:
Brick log snippet
-----------------
[2016-10-05 10:58:06.877872] W [MSGID: 103071] [rdma.c:4594:__gf_rdma_ctx_create] 0-rpc-transport/rdma: rdma_cm event channel creation failed [Permission denied]
[2016-10-05 10:58:06.877899] W [MSGID: 103055] [rdma.c:4901:init] 0-rdma.vol-server: Failed to initialize IB Device
[2016-10-05 10:58:06.877912] W [rpc-transport.c:359:rpc_transport_load] 0-rpc-transport: 'rdma' initialization failed
[2016-10-05 10:58:06.877973] W [rpcsvc.c:1627:rpcsvc_create_listener] 0-rpc-service: cannot create listener, initing the transport failed
[2016-10-05 10:58:06.877994] W [MSGID: 115045] [server.c:1074:init] 0-vol-server: creation of listener failed
[2016-10-05 10:58:06.878013] E [MSGID: 101019] [xlator.c:433:xlator_init] 0-vol-server: Initialization of volume 'vol-server' failed, review your volfile again
[2016-10-05 10:58:06.878025] E [graph.c:322:glusterfs_graph_init] 0-vol-server: initializing translator failed
[2016-10-05 10:58:06.878034] E [graph.c:661:glusterfs_graph_activate] 0-graph: init failed
[2016-10-05 10:58:06.878741] W [glusterfsd.c:1251:cleanup_and_exit] (-->/usr/sbin/glusterfsd(mgmt_getspec_cbk+0x331) [0x7f84dd72e891] -->/usr/sbin/glusterfsd(glusterfs_process_volfp+0x172) [0
x7f84dd729212] -->/usr/sbin/glusterfsd(cleanup_and_exit+0x6b) [0x7f84dd72878b] ) 0-: received signum (1), shutting down

Mount log snippet
-----------------
[2016-10-06 12:12:52.743521] W [MSGID: 103071] [rdma.c:1294:gf_rdma_cm_event_handler] 0-vol-client-0: cma event RDMA_CM_EVENT_REJECTED, error 28 (me:192.168.1.1:1022 peer:192.168.1.1:24008)

Comment 2 Mohammed Rafi KC 2016-10-18 06:22:39 UTC

The fix depends on bug 1384488, since the bug is acked for rhel-7.3, setting devel ack for rhgs bug.

Comment 4 Anil Shah 2016-10-24 13:50:24 UTC

Not seeing AVC denied messages after upgrading selinux policy to selinux-policy-3.13.1-102.el7_3.4

Hence marking this bug verified.

Comment 6 errata-xmlrpc 2017-03-23 06:08:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0486.html

Note You need to log in before you can comment on or make changes to this bug.