Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1409482

Summary: [SELinux] [Eventing]: gluster-eventsapi shows a traceback while adding a webhook
Product: Red Hat Enterprise Linux 6 Reporter: Marcel Kolaja <mkolaja>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: urgent    
Version: 6.9CC: amukherj, avishwan, dwalsh, fkrska, lvrabec, mgrepl, mjahoda, mmalik, plautrba, pprakash, pvrabec, rcyriac, rhinduja, sanandpa, ssekidde, vbellur
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-292.el6_8.3 Doc Type: Bug Fix
Doc Text:
A missing SELinux rule was previously causing errors when adding a webhook using the gluster-eventsapi command. The rule to allow "glusterd_t" domain binds on glusterd UDP port has been added, and adding a webhook using gluster-eventsapi now works properly.
Story Points: ---
Clone Of: 1404562 Environment:
Last Closed: 2017-02-23 17:39:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1404562    
Bug Blocks: 1379963    

Description Marcel Kolaja 2017-01-02 08:28:02 UTC
This bug has been copied from bug #1404562 and has been proposed
to be backported to 6.8 z-stream (EUS).

Comment 5 Milos Malik 2017-01-11 09:06:26 UTC
# service glustereventsd status
glustereventsd is stopped
# service glustereventsd start
Starting glustereventsd:
Failed to start Eventsd: [Errno 13] Permission denied
# service glustereventsd status
glustereventsd dead but subsys locked
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i
----
type=SYSCALL msg=audit(01/11/2017 03:56:58.158:205) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x7fff862d44f0 a2=0x10 a3=0x7 items=0 ppid=1796 pid=1797 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=python exe=/usr/bin/python subj=unconfined_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(01/11/2017 03:56:58.158:205) : avc:  denied  { name_bind } for  pid=1797 comm=python src=24009 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket 
----
# seinfo --portcon=24009
	portcon tcp 24007-24027 system_u:object_r:gluster_port_t:s0
# semanage port -a -p udp -t gluster_port_t 24009
# seinfo --portcon=24009
	portcon udp 24009 system_u:object_r:gluster_port_t:s0
	portcon tcp 24007-24027 system_u:object_r:gluster_port_t:s0
# service glustereventsd status
glustereventsd dead but subsys locked
# service glustereventsd start
Starting glustereventsd:
Failed to start Eventsd: [Errno 13] Permission denied
# service glustereventsd status
glustereventsd dead but subsys locked
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent
----
type=SYSCALL msg=audit(01/11/2017 04:03:00.498:221) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x7ffcc922f740 a2=0x10 a3=0x7 items=0 ppid=1901 pid=1902 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=python exe=/usr/bin/python subj=unconfined_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(01/11/2017 04:03:00.498:221) : avc:  denied  { name_bind } for  pid=1902 comm=python src=24009 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=udp_socket 
----

Above-mentioned port definition and allow rule needs to be added for the fix to be complete.

Comment 7 Milos Malik 2017-01-30 12:33:24 UTC
The AVCs mentioned in comment#5 do not appear when following SELinux boolean is enabled:

* nis_enabled

After discussion with surabhi and lvrabec, I'm not going to force a respin of this bug, because gluster QE team is not hitting the issue in their RHGS builds. The decision to fix it will be discussed in following bug report:

* https://bugzilla.redhat.com/show_bug.cgi?id=1411743

Comment 10 errata-xmlrpc 2017-02-23 17:39:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0306.html