Bug 1399698 - AVCs seen when ganesha cluster nodes are rebooted
Summary: AVCs seen when ganesha cluster nodes are rebooted
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: common-ha
Version: rhgs-3.2
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: RHGS 3.2.0
Assignee: Kaleb KEITHLEY
QA Contact: Arthy Loganathan
URL:
Whiteboard:
Depends On: 1408125
Blocks: 1351528
TreeView+ depends on / blocked
 
Reported: 2016-11-29 15:16 UTC by Arthy Loganathan
Modified: 2017-03-23 05:52 UTC (History)
17 users (show)

Fixed In Version: selinux-policy-3.13.1-102.el7_3.12
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1400493 (view as bug list)
Environment:
Last Closed: 2017-03-23 05:52:24 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0486 0 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update 2017-03-23 09:18:45 UTC

Description Arthy Loganathan 2016-11-29 15:16:22 UTC 
Description of problem:
On a 4 node ganesha cluster, when 2 nodes are rebooted the following AVC is seen.

type=USER_AVC msg=audit(11/29/2016 17:09:05.621:5138) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=root uid=root gid=root cmdline="/bin/systemctl stop corosync-qdevice.service" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?

Version-Release number of selected component (if applicable):
[root@dhcp46-42 ~]# rpm -qa | grep ganesha
glusterfs-ganesha-3.8.4-5.el7rhgs.x86_64
nfs-ganesha-gluster-2.4.1-1.el7rhgs.x86_64

[root@dhcp46-42 ~]# rpm -qa | grep selinux
libselinux-utils-2.5-6.el7.x86_64
libselinux-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7_3.4.noarch
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch


How reproducible:
Intermittent

Steps to Reproduce:
1. Create a 4 node ganesha cluster.
2. Reboot 2 nodes in the cluster so that pacemaker quorum will be lost and starts stopping the services in cluster on all the nodes.

Actual results:
AVCs are seen.

type=USER_AVC msg=audit(11/29/2016 17:09:05.621:5138) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=root uid=root gid=root cmdline="/bin/systemctl stop corosync-qdevice.service" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?

Expected results:
No AVCs should be seen.

Additional info:

[root@node1~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=USER_AVC msg=audit(11/29/2016 11:19:08.103:646) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=root uid=root gid=root cmdline="/bin/systemctl stop corosync-qdevice.service" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(11/29/2016 17:09:05.621:5138) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=root uid=root gid=root cmdline="/bin/systemctl stop corosync-qdevice.service" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
Comment 2 Milos Malik 2016-11-29 16:36:34 UTC 
Does this workaround help?

# cat bz1399698.te
policy_module(bz1399698,1.0)

require {
	type glusterd_t;
	type init_t;
	class service { stop };
}

allow glusterd_t init_t : service { stop };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1399698 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1399698.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/bz1399698.mod
Creating targeted bz1399698.pp policy package
rm tmp/bz1399698.mod.fc tmp/bz1399698.mod
# semodule -i bz1399698.pp 
#

The /usr/share/selinux/devel/Makefile comes from selinux-policy-devel package.
Comment 4 Arthy Loganathan 2016-12-01 05:49:26 UTC 
With this local fix suggested, I have tried running the test and the issue is not seen.

However, I assume functionality is not getting impacted with this AVC and its seen intermittently.
Comment 9 Manisha Saini 2016-12-02 14:36:37 UTC 
Checked on rhel 6.8

[root@dhcp37-156 core]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.8 (Santiago)


[root@dhcp37-156 core]# rpm -qa | grep selinux
libselinux-2.0.94-7.el6.x86_64
selinux-policy-targeted-3.7.19-292.el6_8.2.noarch
libselinux-python-2.0.94-7.el6.x86_64
libselinux-utils-2.0.94-7.el6.x86_64
selinux-policy-3.7.19-292.el6_8.2.noarch

No AVC's were observed on reboot of 2 ganesha node out of 4 node
Comment 14 Arthy Loganathan 2017-01-24 07:49:29 UTC 
Verified the fix in build and no AVCs are seen while rebooting the nodes.

nfs-ganesha-gluster-2.4.1-6.el7rhgs.x86_64
nfs-ganesha-2.4.1-6.el7rhgs.x86_64
glusterfs-ganesha-3.8.4-12.el7rhgs.x86_64
selinux-policy-3.13.1-102.el7_3.13.noarch
Comment 16 errata-xmlrpc 2017-03-23 05:52:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0486.html
Note You need to log in before you can comment on or make changes to this bug.