1384488 – [RHEL7] SELinux prevents starting of RDMA transport type volumes

Bug 1384488 - [RHEL7] SELinux prevents starting of RDMA transport type volumes

Summary: [RHEL7] SELinux prevents starting of RDMA transport type volumes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1386620
TreeView+	depends on / blocked

Reported:	2016-10-13 11:51 UTC by Raghavendra Talur
Modified:	2017-08-01 15:15 UTC (History)
CC List:	16 users (show)
Fixed In Version:	selinux-policy-3.13.1-105.el7
Doc Type:	Bug Fix
Doc Text:	Previously, the SELinux policy prevented the GlusterFS volumes configurated for the Remote Direct Memory Access (RDMA) transport from starting. With this update, a patch has been applied that fixes this bug, and the SELinux denial no longer occurs in the described situation.
Clone Of:	1382345
Clones:	1386620 (view as bug list)
Environment:
Last Closed:	2017-08-01 15:15:11 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1382345	0	high	CLOSED	[RHEL7] SELinux prevents starting of RDMA transport type volumes	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Internal Links: 1382345

Comment 1 Milos Malik 2016-10-13 12:43:41 UTC

Here is a workaround until an official fix becomes available:

# cat glusterfs-rdma.te 
policy_module(glusterfs-rdma, 1.0)

require {
  type glusterd_t;
  type infiniband_device_t;
  class capability { ipc_lock };
  class chr_file { getattr open read write };
}

allow glusterd_t glusterd_t : capability { ipc_lock };
allow glusterd_t infiniband_device_t : chr_file { getattr open read write };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted glusterfs-rdma module
/usr/bin/checkmodule:  loading policy configuration from tmp/glusterfs-rdma.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/glusterfs-rdma.mod
Creating targeted glusterfs-rdma.pp policy package
rm tmp/glusterfs-rdma.mod.fc tmp/glusterfs-rdma.mod
# semodule -i glusterfs-rdma.pp 
#

The Makefile comes from selinux-policy-devel package.

Comment 5 Anoop C S 2016-10-17 11:47:45 UTC

Hi Miroslav,

With the local policy provided in Comment #1, I could create, start and fuse mount RDMA transport type GlusterFS volumes and AVCs from bug description are no longer seen.

Comment 6 Miroslav Grepl 2016-10-18 08:58:55 UTC

(In reply to Anoop C S from comment #5)
> Hi Miroslav,
> 
> With the local policy provided in Comment #1, I could create, start and fuse
> mount RDMA transport type GlusterFS volumes and AVCs from bug description
> are no longer seen.

Great. Thank you for testing.

Comment 12 errata-xmlrpc 2017-08-01 15:15:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.