Bug 1384481 - [SELinux] Snaphsot : Seeing AVC denied messages generated when snapshot and clones are created
Summary: [SELinux] Snaphsot : Seeing AVC denied messages generated when snapshot and...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: snapshot
Version: rhgs-3.2
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: RHGS 3.2.0
Assignee: Avra Sengupta
QA Contact: Anil Shah
URL:
Whiteboard:
Depends On: 1386621
Blocks: 1351528
TreeView+ depends on / blocked
 
Reported: 2016-10-13 11:25 UTC by Anil Shah
Modified: 2017-03-23 06:10 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-102.el7_3.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1384483 (view as bug list)
Environment:
Last Closed: 2017-03-23 06:10:01 UTC
Embargoed:
pprakash: needinfo+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0486 0 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update 2017-03-23 09:18:45 UTC

Description Anil Shah 2016-10-13 11:25:41 UTC
Description of problem:

While creating snapshots and clones, I'm seeing AVC denied messages generated on audit.log

Version-Release number of selected component (if applicable):

root@dhcp47-158 ~]# rpm -qa | grep glusterfs
glusterfs-client-xlators-3.8.4-2.el7rhgs.x86_64
glusterfs-server-3.8.4-2.el7rhgs.x86_64
glusterfs-events-3.8.4-2.el7rhgs.x86_64
glusterfs-3.8.4-2.el7rhgs.x86_64
glusterfs-api-3.8.4-2.el7rhgs.x86_64
glusterfs-cli-3.8.4-2.el7rhgs.x86_64
glusterfs-geo-replication-3.8.4-2.el7rhgs.x86_64
glusterfs-libs-3.8.4-2.el7rhgs.x86_64
glusterfs-fuse-3.8.4-2.el7rhgs.x86_64

[root@dhcp47-158 ~]# rpm -qa | grep selinux
libselinux-utils-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch
libselinux-2.5-6.el7.x86_64
selinux-policy-targeted-3.13.1-102.el7.noarch
libselinux-python-2.5-6.el7.x86_64


How reproducible:

100%

Steps to Reproduce:
1. Create 2*2 distribute replicate volume
2. create snapshot of the volume
3.

Actual results:

Seeking below logs messages in audit logs while snapshots are created

type=AVC msg=audit(1476356764.172:2523): avc:  denied  { getattr } for  pid=6474 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir


Expected results:

There should not be any AVC generated

Additional info:

audit logs messages
=================================

type=AVC msg=audit(1476352529.679:1678): avc:  denied  { getattr } for  pid=2375 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352529.685:1679): avc:  denied  { getattr } for  pid=2375 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352543.076:1680): avc:  denied  { getattr } for  pid=2427 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352543.080:1681): avc:  denied  { getattr } for  pid=2427 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352556.430:1682): avc:  denied  { getattr } for  pid=2475 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352556.448:1683): avc:  denied  { getattr } for  pid=2475 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352569.202:1691): avc:  denied  { getattr } for  pid=2532 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352569.207:1692): avc:  denied  { getattr } for  pid=2532 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352583.299:1693): avc:  denied  { getattr } for  pid=2581 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352583.304:1694): avc:  denied  { getattr } for  pid=2581 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352596.784:1695): avc:  denied  { getattr } for  pid=2629 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352596.790:1696): avc:  denied  { getattr } for  pid=2629 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352610.278:1697): avc:  denied  { getattr } for  pid=2678 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352610.283:1698): avc:  denied  { getattr } for  pid=2678 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352623.832:1706): avc:  denied  { getattr } for  pid=2733 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352623.836:1707): avc:  denied  { getattr } for  pid=2733 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352639.113:1708): avc:  denied  { getattr } for  pid=2783 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352639.120:1709): avc:  denied  { getattr } for  pid=2783 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352654.919:1710): avc:  denied  { getattr } for  pid=2834 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352654.929:1711): avc:  denied  { getattr } for  pid=2834 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352859.553:1740): avc:  denied  { getattr } for  pid=2918 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476352859.560:1741): avc:  denied  { getattr } for  pid=2918 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476354058.466:1896): avc:  denied  { getattr } for  pid=3639 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476354058.474:1897): avc:  denied  { getattr } for  pid=3639 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356092.194:2271): avc:  denied  { getattr } for  pid=5328 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356092.205:2272): avc:  denied  { getattr } for  pid=5328 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356141.554:2287): avc:  denied  { getattr } for  pid=5414 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356141.563:2288): avc:  denied  { getattr } for  pid=5414 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356348.323:2354): avc:  denied  { getattr } for  pid=5563 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356348.331:2355): avc:  denied  { getattr } for  pid=5563 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356403.981:2382): avc:  denied  { getattr } for  pid=5661 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356403.987:2383): avc:  denied  { getattr } for  pid=5661 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356463.830:2405): avc:  denied  { getattr } for  pid=5770 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356463.837:2406): avc:  denied  { getattr } for  pid=5770 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356528.610:2430): avc:  denied  { getattr } for  pid=5849 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356528.621:2431): avc:  denied  { getattr } for  pid=5849 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356588.663:2453): avc:  denied  { getattr } for  pid=5925 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356588.674:2454): avc:  denied  { getattr } for  pid=5925 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356648.877:2476): avc:  denied  { getattr } for  pid=6013 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356648.885:2477): avc:  denied  { getattr } for  pid=6013 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356709.584:2499): avc:  denied  { getattr } for  pid=6296 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356709.592:2500): avc:  denied  { getattr } for  pid=6296 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356717.497:2501): avc:  denied  { getattr } for  pid=6356 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356717.505:2502): avc:  denied  { getattr } for  pid=6356 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1476356764.162:2522): avc:  denied  { getattr } for  pid=6474 comm="xfs_db" path="/sys/kernel/config" dev="configfs" ino=5928 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir



Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information: 


Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Avra Sengupta 2016-10-17 08:41:56 UTC
Once this fix is present in the next build of RHEL, expect this bug to get closed.

Comment 5 Atin Mukherjee 2016-10-25 12:43:46 UTC
Prasanth - I believe this BZ can be moved to ON_QA, no?

Comment 7 Milind Changire 2016-11-10 12:24:08 UTC
reverting fixed-in-version to selinux-policy-3.13.1-102.el7_3.4

Comment 8 Anil Shah 2016-11-14 10:54:25 UTC
Not seeing AVC denied message while creating snapshot and clone.

Bug verified on build glusterfs-3.8.4-5.el7rhgs.x86_64

Comment 10 errata-xmlrpc 2017-03-23 06:10:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0486.html


Note You need to log in before you can comment on or make changes to this bug.