Bug 1445693 - [SELinux] statedump is not able to dump the file in /var/run/gluster because of SELinux permissions.
Summary: [SELinux] statedump is not able to dump the file in /var/run/gluster because ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: samba
Version: rhgs-3.3
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: RHGS 3.3.0
Assignee: Michael Adam
QA Contact: Vivek Das
URL:
Whiteboard:
Depends On: 1447669
Blocks: 1417151
TreeView+ depends on / blocked
 
Reported: 2017-04-26 10:08 UTC by surabhi
Modified: 2017-09-25 11:23 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-152.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1447669 (view as bug list)
Environment:
Last Closed: 2017-09-25 11:23:01 UTC
Embargoed:

Attachments (Terms of Use)

Description surabhi 2017-04-26 10:08:13 UTC 
Description of problem:
*********************************
On a samba setup , if the statedump command is executed to collect the statedump on gfapi side , the file is not getting dumped to the location /var/run/gluster.

There are two issues observed :
1. One is the /var/run/gluster doesn't have write permission.
2. SELINUX is preventing smbd to write to /var/run/gluster

the 1st issue is been discussed in upstream and there is another bug which may track it.

For 2nd issue we need SELinux policy to set context for smbd to access and write to /var/run/gluster

After setting the SELinux to permissive and providing permission to user, it was able to dump.

We need to check on default path for dumping statedump as this issue may occur even with non-root user as well.


Version-Release number of selected component (if applicable):
*********************************************

glusterfs-3.8.4-23.el7rhgs.x86_64



How reproducible:
****************************
Always

Steps to Reproduce:
****************************
1. Create a samba setup 
2. mount a volume, run some I/O's
3. Run statedump command as following and check for the file:

gluster volume statedump testvol client 10.70.47.45:32036


Actual results:
***************************
The file is not getting dumped in default location due to SELINUX preventing smbd to access and write to /var/run/gluster.

type=AVC msg=audit(1493119101.557:152328): avc:  denied  { write } for  pid=32043 comm="smbd" name="gluster" dev="tmpfs" ino=14636 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:glusterd_var_run_t:s0 tclass=dir


Expected results:
****************************
statedump should succeed and dumps the file in /var/run/gluster.


Additional info:
*********************
How are we going to handle the permissions on this location?
May be change the default location to /var/log/glusterfs?
Comment 2 Niels de Vos 2017-05-03 12:30:48 UTC 
This needs to be addressed in the selinux-policy package. Any process using libgfapi.so should have SELinux permissions to create new files under /var/run/gluster/

We could think about changing the default location of the statedumps, but that will affect other tools that try to collect those files. It probably is a good idea to give gfapi users the option to select a different directory. The directory probably needs to be different per application, otherwise the new default location will likely have problems with other applications...
Comment 3 Niels de Vos 2017-05-03 12:50:27 UTC 
Bug 1447669 has been reported to get a fix in selinux-policy for RHEL7. If this problem exists on RHEL6 too, an additional big for RHEL6/selinux-policy needs to be filed.
Comment 7 Vivek Das 2017-06-13 12:27:32 UTC 
Validated the bug against RHEL7 and i was able to get statedump in the default location i.e /var/run/gluster when selinux is Enforcing.
Followed the steps to reproduce 
gluster volume statedump <VOLNAME> client localhost:<smbd_pid>.

However it is failing in RHEL6 for which we have a separate bug : #1461044
Note You need to log in before you can comment on or make changes to this bug.