Description of problem: ************************************* When CTDB is restarted there are SELinux AVC's seen but there are no functional issues seen. The failover also doesn't have any imapct.Raising a medium priority BZ for AVC's seen. type=USER_AVC msg=audit(01/09/2017 12:06:11.143:3039632352) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=root uid=root gid=root path=/usr/lib/systemd/system/rpc-statd.service cmdline="/bin/systemctl stop nfslock.service" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:rpcd_unit_file_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/09/2017 12:06:11.143:3039632353) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=root uid=root gid=root path=/usr/lib/systemd/system/rpc-statd.service cmdline="/bin/systemctl stop nfslock.service" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:rpcd_unit_file_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(01/09/2017 12:06:42.319:3039632356) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=root uid=root gid=root path=/usr/lib/systemd/system/rpc-statd.service cmdline="/bin/systemctl start nfslock.service" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:rpcd_unit_file_t:s0 tclass=service exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=SYSCALL msg=audit(01/09/2017 12:06:46.751:3039632360) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x1af56f0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=574 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=statd-callout exe=/usr/bin/bash subj=system_u:system_r:ctdbd_t:s0 key=(null) type=AVC msg=audit(01/09/2017 12:06:46.751:3039632360) : avc: denied { dac_override } for pid=574 comm=statd-callout capability=dac_override scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=capability Version-Release number of selected component (if applicable): ctdb-4.4.6-2.el7rhgs.x86_64 glusterfs-3.8.4-10.el7rhgs.x86_64 selinux-policy-3.13.1-102.el7_3.11.noarch How reproducible: Always Steps to Reproduce: 1.CTBD setup with nfs 2.Restart ctdb services 3.Observer audit logs Actual results: SELinux AVC's seen in audit logs . Expected results: There should not be any AVC's. Additional info: Since CTDB is not monitoring Kernel NFS (disabled) the statd-callout script trying to start stop and status for kernel nfs and it does not affect the functionality of RHGS CTDB nfs setup.
From comment #0: '/bin/systemctl stop nfslock.service' - this should not be done. Gluster/NFS does not use systemd to start the rpc.statd daemon. The process should probably get killed when Gluster/NFS is stopped though. The openat() syscall should probably be allowed though, but only when Gluster/NFS has started rpc.statd and rpc.statd tries openat().
This should be reported against the component that provides the ctdb shell script for monitoring/starting/stopping/... Gluster/NFS.