Description of problem: GlusterFS volumes with RDMA transport type fails to start on issuing `gluster volume start <VOLNAME>` when SELinux set to 'Enforcing' mode. Even though `gluster volume start <VOLNAME> force` succeeds, brick processes are never brought up. Following that changed SELinux mode to permissive and volume start followed by FUSE mounting worked as expected with the following AVCs: type=AVC msg=audit(1475755220.412:356): avc: denied { read write } for pid=8325 comm="glusterfsd" name="rdma_cm" dev="devtmpfs" ino=16130 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file type=AVC msg=audit(1475755220.412:356): avc: denied { open } for pid=8325 comm="glusterfsd" path="/dev/infiniband/rdma_cm" dev="devtmpfs" ino=16130 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file type=AVC msg=audit(1475755220.929:357): avc: denied { ipc_lock } for pid=8367 comm="glusterfs" capability=14 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=capability Version-Release number of selected component (if applicable): Red Hat Gluster Storage Server 3.1 Update 3 Red Hat Enterprise Linux Server release 7.2 (Maipo) How reproducible: Always Steps to Reproduce: 1. Set up RDMA stack based on IPoIB. 2. Make sure that SELinux mode is set to 'Enforcing'. 3. Create a simple 1 brick volume with transport type RDMA. 4. Try to start the volume. 5. Alternatively force start the volume. 6. Check volume status and search for AVCs in audit log. 7. Set SELinux to permissive mode. 8. Stop and start the volume. 9. Try FUSE mounting the volume. 10. Search for AVCs in audit log. Actual results: SELinux in Enforcing mode ------------------------- volume start: <VOLNAME>: failed: Commit failed on localhost. Please check log file for details. Mount failed. Please check the log file for more details. SELinux in Permissive mode ------------------------- volume start: <VOLNAME>: success Mount was successful AVCs listed in description were seen Expected results: Whether SELinux is in Enforcing or Permissive mode volume start: <VOLNAME>: success Mount should be successful and no AVCs must be present in audit logs Additional info: Brick log snippet ----------------- [2016-10-05 10:58:06.877872] W [MSGID: 103071] [rdma.c:4594:__gf_rdma_ctx_create] 0-rpc-transport/rdma: rdma_cm event channel creation failed [Permission denied] [2016-10-05 10:58:06.877899] W [MSGID: 103055] [rdma.c:4901:init] 0-rdma.vol-server: Failed to initialize IB Device [2016-10-05 10:58:06.877912] W [rpc-transport.c:359:rpc_transport_load] 0-rpc-transport: 'rdma' initialization failed [2016-10-05 10:58:06.877973] W [rpcsvc.c:1627:rpcsvc_create_listener] 0-rpc-service: cannot create listener, initing the transport failed [2016-10-05 10:58:06.877994] W [MSGID: 115045] [server.c:1074:init] 0-vol-server: creation of listener failed [2016-10-05 10:58:06.878013] E [MSGID: 101019] [xlator.c:433:xlator_init] 0-vol-server: Initialization of volume 'vol-server' failed, review your volfile again [2016-10-05 10:58:06.878025] E [graph.c:322:glusterfs_graph_init] 0-vol-server: initializing translator failed [2016-10-05 10:58:06.878034] E [graph.c:661:glusterfs_graph_activate] 0-graph: init failed [2016-10-05 10:58:06.878741] W [glusterfsd.c:1251:cleanup_and_exit] (-->/usr/sbin/glusterfsd(mgmt_getspec_cbk+0x331) [0x7f84dd72e891] -->/usr/sbin/glusterfsd(glusterfs_process_volfp+0x172) [0 x7f84dd729212] -->/usr/sbin/glusterfsd(cleanup_and_exit+0x6b) [0x7f84dd72878b] ) 0-: received signum (1), shutting down Mount log snippet ----------------- [2016-10-06 12:12:52.743521] W [MSGID: 103071] [rdma.c:1294:gf_rdma_cm_event_handler] 0-vol-client-0: cma event RDMA_CM_EVENT_REJECTED, error 28 (me:192.168.1.1:1022 peer:192.168.1.1:24008)
The fix depends on bug 1384488, since the bug is acked for rhel-7.3, setting devel ack for rhgs bug.
Not seeing AVC denied messages after upgrading selinux policy to selinux-policy-3.13.1-102.el7_3.4 Hence marking this bug verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0486.html