Bug 1409482
| Summary: | [SELinux] [Eventing]: gluster-eventsapi shows a traceback while adding a webhook | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Marcel Kolaja <mkolaja> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | urgent | ||
| Version: | 6.9 | CC: | amukherj, avishwan, dwalsh, fkrska, lvrabec, mgrepl, mjahoda, mmalik, plautrba, pprakash, pvrabec, rcyriac, rhinduja, sanandpa, ssekidde, vbellur |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-292.el6_8.3 | Doc Type: | Bug Fix |
| Doc Text: |
A missing SELinux rule was previously causing errors when adding a webhook using the gluster-eventsapi command. The rule to allow "glusterd_t" domain binds on glusterd UDP port has been added, and adding a webhook using gluster-eventsapi now works properly.
|
Story Points: | --- |
| Clone Of: | 1404562 | Environment: | |
| Last Closed: | 2017-02-23 17:39:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1404562 | ||
| Bug Blocks: | 1379963 | ||
|
Description
Marcel Kolaja
2017-01-02 08:28:02 UTC
# service glustereventsd status
glustereventsd is stopped
# service glustereventsd start
Starting glustereventsd:
Failed to start Eventsd: [Errno 13] Permission denied
# service glustereventsd status
glustereventsd dead but subsys locked
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i
----
type=SYSCALL msg=audit(01/11/2017 03:56:58.158:205) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x7fff862d44f0 a2=0x10 a3=0x7 items=0 ppid=1796 pid=1797 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=python exe=/usr/bin/python subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(01/11/2017 03:56:58.158:205) : avc: denied { name_bind } for pid=1797 comm=python src=24009 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
----
# seinfo --portcon=24009
portcon tcp 24007-24027 system_u:object_r:gluster_port_t:s0
# semanage port -a -p udp -t gluster_port_t 24009
# seinfo --portcon=24009
portcon udp 24009 system_u:object_r:gluster_port_t:s0
portcon tcp 24007-24027 system_u:object_r:gluster_port_t:s0
# service glustereventsd status
glustereventsd dead but subsys locked
# service glustereventsd start
Starting glustereventsd:
Failed to start Eventsd: [Errno 13] Permission denied
# service glustereventsd status
glustereventsd dead but subsys locked
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent
----
type=SYSCALL msg=audit(01/11/2017 04:03:00.498:221) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x7ffcc922f740 a2=0x10 a3=0x7 items=0 ppid=1901 pid=1902 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=python exe=/usr/bin/python subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(01/11/2017 04:03:00.498:221) : avc: denied { name_bind } for pid=1902 comm=python src=24009 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=udp_socket
----
Above-mentioned port definition and allow rule needs to be added for the fix to be complete.
The AVCs mentioned in comment#5 do not appear when following SELinux boolean is enabled: * nis_enabled After discussion with surabhi and lvrabec, I'm not going to force a respin of this bug, because gluster QE team is not hitting the issue in their RHGS builds. The decision to fix it will be discussed in following bug report: * https://bugzilla.redhat.com/show_bug.cgi?id=1411743 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0306.html |