Bug 1382345 - [RHEL7] SELinux prevents starting of RDMA transport type volumes
Summary: [RHEL7] SELinux prevents starting of RDMA transport type volumes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: rdma
Version: rhgs-3.1
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: RHGS 3.2.0
Assignee: Anoop C S
QA Contact: Anil Shah
URL:
Whiteboard:
Depends On: 1386620
Blocks: 1351528
TreeView+ depends on / blocked
 
Reported: 2016-10-06 12:21 UTC by Anoop C S
Modified: 2017-03-23 06:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1384488 (view as bug list)
Environment:
Last Closed: 2017-03-23 06:08:46 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0486 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update 2017-03-23 09:18:45 UTC
Red Hat Bugzilla 1384488 None CLOSED [RHEL7] SELinux prevents starting of RDMA transport type volumes 2019-03-01 04:44:26 UTC

Internal Links: 1384488

Description Anoop C S 2016-10-06 12:21:15 UTC
Description of problem:
GlusterFS volumes with RDMA transport type fails to start on issuing `gluster volume start <VOLNAME>` when SELinux set to 'Enforcing' mode. Even though `gluster volume start <VOLNAME> force` succeeds, brick processes are never brought up.

Following that changed SELinux mode to permissive and volume start followed by FUSE mounting worked as expected with the following AVCs:

type=AVC msg=audit(1475755220.412:356): avc:  denied  { read write } for  pid=8325 comm="glusterfsd" name="rdma_cm" dev="devtmpfs" ino=16130 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file
type=AVC msg=audit(1475755220.412:356): avc:  denied  { open } for  pid=8325 comm="glusterfsd" path="/dev/infiniband/rdma_cm" dev="devtmpfs" ino=16130 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file
type=AVC msg=audit(1475755220.929:357): avc:  denied  { ipc_lock } for  pid=8367 comm="glusterfs" capability=14  scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
Red Hat Gluster Storage Server 3.1 Update 3
Red Hat Enterprise Linux Server release 7.2 (Maipo)

How reproducible:
Always

Steps to Reproduce:
1. Set up RDMA stack based on IPoIB.
2. Make sure that SELinux mode is set to 'Enforcing'.
3. Create a simple 1 brick volume with transport type RDMA.
4. Try to start the volume.
5. Alternatively force start the volume.
6. Check volume status and search for AVCs in audit log.
7. Set SELinux to permissive mode.
8. Stop and start the volume.
9. Try FUSE mounting the volume.
10. Search for AVCs in audit log.

Actual results:
SELinux in Enforcing mode
-------------------------
volume start: <VOLNAME>: failed: Commit failed on localhost. Please check log file for details.
Mount failed. Please check the log file for more details.

SELinux in Permissive mode
-------------------------
volume start: <VOLNAME>: success
Mount was successful
AVCs listed in description were seen

Expected results:
Whether SELinux is in Enforcing or Permissive mode
volume start: <VOLNAME>: success
Mount should be successful
and no AVCs must be present in audit logs

Additional info:
Brick log snippet
-----------------
[2016-10-05 10:58:06.877872] W [MSGID: 103071] [rdma.c:4594:__gf_rdma_ctx_create] 0-rpc-transport/rdma: rdma_cm event channel creation failed [Permission denied]
[2016-10-05 10:58:06.877899] W [MSGID: 103055] [rdma.c:4901:init] 0-rdma.vol-server: Failed to initialize IB Device
[2016-10-05 10:58:06.877912] W [rpc-transport.c:359:rpc_transport_load] 0-rpc-transport: 'rdma' initialization failed
[2016-10-05 10:58:06.877973] W [rpcsvc.c:1627:rpcsvc_create_listener] 0-rpc-service: cannot create listener, initing the transport failed
[2016-10-05 10:58:06.877994] W [MSGID: 115045] [server.c:1074:init] 0-vol-server: creation of listener failed
[2016-10-05 10:58:06.878013] E [MSGID: 101019] [xlator.c:433:xlator_init] 0-vol-server: Initialization of volume 'vol-server' failed, review your volfile again
[2016-10-05 10:58:06.878025] E [graph.c:322:glusterfs_graph_init] 0-vol-server: initializing translator failed
[2016-10-05 10:58:06.878034] E [graph.c:661:glusterfs_graph_activate] 0-graph: init failed
[2016-10-05 10:58:06.878741] W [glusterfsd.c:1251:cleanup_and_exit] (-->/usr/sbin/glusterfsd(mgmt_getspec_cbk+0x331) [0x7f84dd72e891] -->/usr/sbin/glusterfsd(glusterfs_process_volfp+0x172) [0
x7f84dd729212] -->/usr/sbin/glusterfsd(cleanup_and_exit+0x6b) [0x7f84dd72878b] ) 0-: received signum (1), shutting down

Mount log snippet
-----------------
[2016-10-06 12:12:52.743521] W [MSGID: 103071] [rdma.c:1294:gf_rdma_cm_event_handler] 0-vol-client-0: cma event RDMA_CM_EVENT_REJECTED, error 28 (me:192.168.1.1:1022 peer:192.168.1.1:24008)

Comment 2 Mohammed Rafi KC 2016-10-18 06:22:39 UTC
The fix depends on bug 1384488, since the bug is acked for rhel-7.3, setting devel ack for rhgs bug.

Comment 4 Anil Shah 2016-10-24 13:50:24 UTC
Not seeing AVC denied messages after upgrading selinux policy to selinux-policy-3.13.1-102.el7_3.4

Hence marking this bug verified.

Comment 6 errata-xmlrpc 2017-03-23 06:08:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0486.html


Note You need to log in before you can comment on or make changes to this bug.