1383784 – selinux: ganesha permissions when running NFS-Ganesha without using glusterfs

Bug 1383784 - selinux: ganesha permissions when running NFS-Ganesha without using glusterfs

Summary: selinux: ganesha permissions when running NFS-Ganesha without using glusterfs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1377248
TreeView+	depends on / blocked

Reported:	2016-10-11 18:10 UTC by Kaleb KEITHLEY
Modified:	2020-09-10 09:50 UTC (History)
CC List:	14 users (show)
Fixed In Version:	selinux-policy-3.13.1-125.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 15:15:11 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Kaleb KEITHLEY 2016-10-11 18:10:15 UTC

Description of problem:

Some people are running NFS-Ganesha using their own builds or packages from the CentOS Storage SIG, and they aren't necessarily running them with GlusterFS or RHGS (Gluster)


On 10/11/2016 12:13 PM, Swen Schillig wrote:
>
> We're experiencing an issue with ganesha permissions recently.
> Seemingly this got introduced by selinux-policy-targeted-3.13.1-
> 60.
> which is changing the ganesha executable
> from being an bin_t object to a glusterd_exec_t object.
>
> This change is making it a bit awkward for FSALs other than
> glusterfs.
> Do you have any suggestion on how to proceed here ?
>
> Thanks for your support in advance.
>
> Cheers Swen

This will soon be an issue too for Ceph when RHCS starts shipping ganesha.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-60

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Miroslav Grepl 2016-10-13 07:57:33 UTC

What are SELinux AVCs causing by this issue?

1. reproduce it
2. run 

ausearch -m avc -ts recent

Thank you.

Comment 3 Dominique Martinet 2016-10-18 20:19:17 UTC

Ganesha with FSAL VFS gets this. Basically tries to stat everything in /dev, this is in all honesty more of a ganesha bug than selinux premission problem (allowing that blindly is probably just wrong)


With 9P_RDMA enabled it needs infiniband_device_t { open read write } access

GPFS have their own /dev device, this is going to need Swen to help with that as I have no idea what it is (they need ioctl there) -- I guess it's just going to be device_t unless they ship GPFS policies, but no idea what accesses are needed. Not clearing needinfo because of that.


My own problem besides that is: ganesha shouldn't be running as glusterd_t
I'm running a nfs-ganesha server on a gluster client and both glusterfs (the client process) and ganesha.nfsd run with the same context; they really need different accesses.



time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.245:33531): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f041db a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.245:33531): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/sr0" dev="devtmpfs" ino=1784 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.245:33532): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f044fb a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.245:33532): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/rtc0" dev="devtmpfs" ino=1154 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.245:33533): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f045db a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.245:33533): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/proc/kcore" dev="proc" ino=4026532032 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33534): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f040d3 a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33534): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/infiniband/rdma_cm" dev="devtmpfs" ino=14613 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33535): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f0428b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33535): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/parport0" dev="devtmpfs" ino=14574 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33536): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f042a3 a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33536): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/input/event4" dev="devtmpfs" ino=14553 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33537): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f042c3 a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33537): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/sg0" dev="devtmpfs" ino=14554 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33538): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f0431b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33538): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/input/mouse1" dev="devtmpfs" ino=1693 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33539): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f0435b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33539): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/dri/card0" dev="devtmpfs" ino=1683 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33540): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f0439b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33540): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/fb0" dev="devtmpfs" ino=1684 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:framebuf_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33541): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f043d3 a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33541): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/hidraw0" dev="devtmpfs" ino=1688 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33542): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f044e3 a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33542): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/usbmon0" dev="devtmpfs" ino=1144 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33543): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f04b1b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33543): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/ptmx" dev="devtmpfs" ino=1134 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33544): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f04b6b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33544): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/cpu/6/msr" dev="devtmpfs" ino=1120 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33545): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f04c4b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33545): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/vga_arbiter" dev="devtmpfs" ino=1026 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33546): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f04c8b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33546): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/snapshot" dev="devtmpfs" ino=1132 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:apm_bios_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33547): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f04cab a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33547): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/nvram" dev="devtmpfs" ino=1142 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:nvram_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.246:33548): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f04ccb a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.246:33548): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/network_latency" dev="devtmpfs" ino=1176 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.247:33549): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f04d0b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.247:33549): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/mcelog" dev="devtmpfs" ino=1169 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.247:33550): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f04d6b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.247:33550): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/crash" dev="devtmpfs" ino=1143 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:crash_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.247:33551): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f04d8b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.247:33551): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/autofs" dev="devtmpfs" ino=1133 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:autofs_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.247:33552): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f04dfb a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.247:33552): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/port" dev="devtmpfs" ino=1029 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.247:33553): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f05063 a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.247:33553): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/mapper/control" dev="devtmpfs" ino=10263 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.258:33555): arch=c000003e syscall=4 success=yes exit=0 a0=7f7bb0c17c00 a1=7fff9bfe51a0 a2=7fff9bfe51a0 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.258:33555): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/sys/kernel/config" dev="configfs" ino=8525 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.260:33556): arch=c000003e syscall=262 success=yes exit=0 a0=5 a1=7f7bb0f0428b a2=7fff9bfe4030 a3=0 items=0 ppid=1 pid=31251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.260:33556): avc:  denied  { getattr } for  pid=31251 comm="ganesha.nfsd" path="/dev/parport0" dev="devtmpfs" ino=14574 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
----
time->Tue Oct 18 21:58:47 2016
type=SYSCALL msg=audit(1476820727.384:33557): arch=c000003e syscall=2 success=yes exit=31 a0=7f7bb42e9534 a1=80002 a2=7f7b970064a8 a3=7f7b97fd6000 items=0 ppid=1 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1476820727.384:33557): avc:  denied  { open } for  pid=31297 comm="ganesha.nfsd" path="/dev/infiniband/rdma_cm" dev="devtmpfs" ino=14613 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file
type=AVC msg=audit(1476820727.384:33557): avc:  denied  { read write } for  pid=31297 comm="ganesha.nfsd" name="rdma_cm" dev="devtmpfs" ino=14613 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file

-- 
Dominique Martinet

Comment 4 Milos Malik 2016-10-20 10:07:07 UTC

I agree with Dominique.

Comment 5 Dominique Martinet 2016-10-21 14:44:58 UTC

I think the ideal setup is:
 - one base ganesha_t policy for common accesses (bind to port 2049 (nfs), 564 (9p); possibly more)
 + one sebool per FSAL (for example gluster will require the ability to make outgoing connections, but VFS does not)
 + possibly one sebool for 9P or NFS RDMA I guess as these devices are rather sensitive and better off unaccessible if not needed

I'm not fussy on which bools are turned on by default.


Would you need some help to get that kind of policy setup?
If you tell me how to bootstrap a new process context I can probably give you some starting point rules for the core, RDMA, VFS and possibly gluster and xfs FSALs.

Still going to need some work for the rest (ceph/rgw, proxy, zfs, gpfs), but I guess it's stuff that is probably already not working right now.

Comment 6 Swen 2016-10-24 09:14:43 UTC

I agree with Dominque that ganesha shouldn't be running as gluster_t or any other FSAL-like type.

I support the suggestions made in seq #5.

But until all FSALs provide their own policies we should make sure that the "standard" device_t type will be accepted.

Regarding the scanning of everything in /dev I wouldn't be too fuzzy, especially when each individual entry(device) could be protected by its individual type.

Regarding what's required by GPFS we ran audit2allow with an audit.log and got

root@RHEL7-31 ~]# audit2allow -M ganesha < audit.log
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i ganesha.pp

[root@RHEL7-31 ~]# cat ganesha.te

module ganesha 1.0;

require {
  type device_t;
  type glusterd_t;
  class chr_file ioctl;
}

#============= glusterd_t ==============
allow glusterd_t device_t:chr_file ioctl;

I hope this answers the remaining questions, therefore, clearing the "needinfo".

Comment 7 Kaleb KEITHLEY 2016-10-24 12:42:07 UTC

Do you have enough context from Swen and Dominique?

Comment 8 Swen 2016-10-25 07:45:37 UTC

Just in case you still want the output of the ausearch command
But I cut off a few

----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.001:16571): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=1fd4f50 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.001:16571): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.023:16572): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.023:16572): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.048:16573): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.048:16573): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.085:16574): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.085:16574): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.115:16575): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.115:16575): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.144:16576): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.144:16576): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.169:16577): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.169:16577): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.187:16578): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.187:16578): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.211:16579): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.211:16579): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.235:16580): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.235:16580): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.259:16581): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.259:16581): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.289:16582): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.289:16582): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.313:16583): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.313:16583): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.332:16584): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.332:16584): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.350:16585): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.350:16585): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.380:16586): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.380:16586): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.415:16587): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.415:16587): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.439:16588): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.439:16588): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.458:16589): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.458:16589): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.482:16590): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.482:16590): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.507:16591): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.507:16591): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.538:16592): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.538:16592): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.554:16593): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.554:16593): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.581:16594): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.581:16594): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.602:16595): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.602:16595): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.637:16596): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.637:16596): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.675:16597): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.675:16597): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.693:16598): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.693:16598): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.717:16599): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.717:16599): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.742:16600): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.742:16600): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.764:16601): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.764:16601): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.788:16602): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.788:16602): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.817:16603): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.817:16603): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.833:16604): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.833:16604): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.849:16605): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.849:16605): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.867:16606): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.867:16606): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.891:16607): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.891:16607): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.914:16608): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.914:16608): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.934:16609): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.934:16609): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.951:16610): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.951:16610): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:35 2016
type=SYSCALL msg=audit(1477378055.976:16611): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378055.976:16611): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.000:16612): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.000:16612): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.024:16613): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.024:16613): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.042:16614): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.042:16614): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.064:16615): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.064:16615): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.084:16616): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.084:16616): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.102:16617): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.102:16617): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.121:16618): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.121:16618): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.151:16619): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.151:16619): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.168:16620): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.168:16620): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.216:16621): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.216:16621): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.234:16622): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.234:16622): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.247:16623): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.247:16623): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.259:16624): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.259:16624): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.271:16625): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.271:16625): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.307:16626): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.307:16626): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.367:16627): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.367:16627): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Tue Oct 25 08:47:36 2016
type=SYSCALL msg=audit(1477378056.385:16628): arch=c000003e syscall=2 success=no exit=-13 a0=7f9dd9f98878 a1=0 a2=6 a3=0 items=0 ppid=1 pid=7241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ganesha.nfsd" exe="/usr/bin/ganesha.nfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1477378056.385:16628): avc:  denied  { read } for  pid=7241 comm="ganesha.nfsd" name="ss0" dev="devtmpfs" ino=51169 scontext=system_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
---

Comment 9 Miroslav Grepl 2016-10-25 08:27:13 UTC

(In reply to Dominique Martinet from comment #3)
> Ganesha with FSAL VFS gets this. Basically tries to stat everything in /dev,
> this is in all honesty more of a ganesha bug than selinux premission problem
> (allowing that blindly is probably just wrong)
> 
> 
> With 9P_RDMA enabled it needs infiniband_device_t { open read write } access
> 
> GPFS have their own /dev device, this is going to need Swen to help with
> that as I have no idea what it is (they need ioctl there) -- I guess it's
> just going to be device_t unless they ship GPFS policies, but no idea what
> accesses are needed. Not clearing needinfo because of that.
> 
> 
> My own problem besides that is: ganesha shouldn't be running as glusterd_t
> I'm running a nfs-ganesha server on a gluster client and both glusterfs (the
> client process) and ganesha.nfsd run with the same context; they really need
> different accesses.

Lukas,
could we run it as nfsd_t? Or do we want to think about GPFS policies?

Comment 10 Milos Malik 2017-02-06 08:09:29 UTC

I would like to know more about the ss0 device, which is mentioned in the SELinux denials several times. Where is the device located? TIA

Comment 11 Dominique Martinet 2017-02-06 10:15:21 UTC

According to a quick search it seems to be a device created by GPFS to provide ioctl controls that ganesha uses (it's /dev/ss0)


I've just found out (on fedora-devel lists) that each package can provide their own set of selinux policy, in e.g. a nfs-ganesha-selinux subpackage.

Should we aim for that? Is there documentation as to what the contents should look like or should we look at an existing package?
How would it work if e.g. IBM does that for GPFS and taints /dev/ss0 as a gpfs_device_t, then ganesha wants to use that? Can we provide conditional rules "if X exists then add this permission"? Or should we have sub-sub-policy packages per FSAL e.g. nfs-ganesha-gpfs-selinux so that it'd only get installed if the user pulls nfs-ganesha-gpfs?...

Sorry for throwing a bunch of questions all at once, if there's anywhere I could read up on guidelines I'd love to learn more. It seems to me that each package providing their own rules would be way better than centrally trying to accomodate everyone.

Thanks,
-- 
Dominique Martinet

Comment 12 Dominique Martinet 2017-02-06 12:09:09 UTC

Sorry, cleared too many needinfos, reinstating the one for lvrabec in case it's still needed.

Comment 13 Lukas Vrabec 2017-02-06 16:35:43 UTC

We should change the domain for ganesha. Maybe new policy is the best way.

Comment 15 Milos Malik 2017-02-06 16:43:01 UTC

I don't know, but can ask at #rhs channel: Red Hat Internal for Red Hat Storage (RHS) and GlusterFS.

Comment 16 Milos Malik 2017-02-06 16:47:27 UTC

Or #ganesha channel at freenode.net

Comment 25 errata-xmlrpc 2017-08-01 15:15:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.