RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1409482 - [SELinux] [Eventing]: gluster-eventsapi shows a traceback while adding a webhook
Summary: [SELinux] [Eventing]: gluster-eventsapi shows a traceback while adding a webhook
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.9
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On: 1404562
Blocks: 1379963
TreeView+ depends on / blocked
 
Reported: 2017-01-02 08:28 UTC by Marcel Kolaja
Modified: 2019-04-29 09:19 UTC (History)
16 users (show)

Fixed In Version: selinux-policy-3.7.19-292.el6_8.3
Doc Type: Bug Fix
Doc Text:
A missing SELinux rule was previously causing errors when adding a webhook using the gluster-eventsapi command. The rule to allow "glusterd_t" domain binds on glusterd UDP port has been added, and adding a webhook using gluster-eventsapi now works properly.
Clone Of: 1404562
Environment:
Last Closed: 2017-02-23 17:39:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0306 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-02-23 22:35:42 UTC

Description Marcel Kolaja 2017-01-02 08:28:02 UTC 
This bug has been copied from bug #1404562 and has been proposed
to be backported to 6.8 z-stream (EUS).
Comment 5 Milos Malik 2017-01-11 09:06:26 UTC 
# service glustereventsd status
glustereventsd is stopped
# service glustereventsd start
Starting glustereventsd:
Failed to start Eventsd: [Errno 13] Permission denied
# service glustereventsd status
glustereventsd dead but subsys locked
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i
----
type=SYSCALL msg=audit(01/11/2017 03:56:58.158:205) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x7fff862d44f0 a2=0x10 a3=0x7 items=0 ppid=1796 pid=1797 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=python exe=/usr/bin/python subj=unconfined_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(01/11/2017 03:56:58.158:205) : avc:  denied  { name_bind } for  pid=1797 comm=python src=24009 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket 
----
# seinfo --portcon=24009
	portcon tcp 24007-24027 system_u:object_r:gluster_port_t:s0
# semanage port -a -p udp -t gluster_port_t 24009
# seinfo --portcon=24009
	portcon udp 24009 system_u:object_r:gluster_port_t:s0
	portcon tcp 24007-24027 system_u:object_r:gluster_port_t:s0
# service glustereventsd status
glustereventsd dead but subsys locked
# service glustereventsd start
Starting glustereventsd:
Failed to start Eventsd: [Errno 13] Permission denied
# service glustereventsd status
glustereventsd dead but subsys locked
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent
----
type=SYSCALL msg=audit(01/11/2017 04:03:00.498:221) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x7ffcc922f740 a2=0x10 a3=0x7 items=0 ppid=1901 pid=1902 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=python exe=/usr/bin/python subj=unconfined_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(01/11/2017 04:03:00.498:221) : avc:  denied  { name_bind } for  pid=1902 comm=python src=24009 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=udp_socket 
----

Above-mentioned port definition and allow rule needs to be added for the fix to be complete.
Comment 7 Milos Malik 2017-01-30 12:33:24 UTC 
The AVCs mentioned in comment#5 do not appear when following SELinux boolean is enabled:

* nis_enabled

After discussion with surabhi and lvrabec, I'm not going to force a respin of this bug, because gluster QE team is not hitting the issue in their RHGS builds. The decision to fix it will be discussed in following bug report:

* https://bugzilla.redhat.com/show_bug.cgi?id=1411743
Comment 10 errata-xmlrpc 2017-02-23 17:39:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0306.html
Note You need to log in before you can comment on or make changes to this bug.