1448090 – [GANESHA] AVC denials for unreserved port observed while changing RQUOTA port in ganesha.conf file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1448090 - [GANESHA] AVC denials for unreserved port observed while changing RQUOTA port in ganesha.conf file

Summary: [GANESHA] AVC denials for unreserved port observed while changing RQUOTA port...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	unspecified
Target Milestone:	pre-dev-freeze
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1450038 1455236
TreeView+	depends on / blocked

Reported:	2017-05-04 13:52 UTC by Manisha Saini
Modified:	2020-09-10 10:32 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1450038 1455236 (view as bug list)
Environment:
Last Closed:	2017-08-01 15:26:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Manisha Saini 2017-05-04 13:52:56 UTC

Description of problem:

Due to some gluster process using  Rquota_Port 875,ganesha service failed to come up after reboot.So if the Rquota_Port is changed in ganesha.conf file,AVC's denials were observed in audit.log 

Version-Release number of selected component (if applicable):

# rpm -qa | grep selinux
selinux-policy-targeted-3.13.1-102.el7.noarch
libselinux-utils-2.5-6.el7.x86_64
libselinux-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch

glusterfs-ganesha-3.8.4-24.el7rhgs.x86_64

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

How reproducible:


Steps to Reproduce:
1.Create 8 node ganesha cluster.
2.Create volume.Enable ganesha on it.
3.Mount the volume to client and run IO's.
4.Reboot one of the node

Actual results:
On rebooted node ganesha service failed to come up due to Rquota bind issue (as the 875 port which is there for RQUOTA is being used by some other gluster process).
After changing the RQUOTA_port to 8750 in ganesha.conf,AVC denials were observed in audit.log


Expected results:
No AVC denials should be seen.

Additional info:

# tailf /var/log/ganesha.log 
04/05/2017 18:58:50 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] init_server_pkgs :NFS STARTUP :EVENT :ID Mapper successfully initialized.
04/05/2017 18:58:50 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] glusterfs_create_export :FSAL :EVENT :Volume ganesha1 exported at : '/'
04/05/2017 18:58:57 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] glusterfs_create_export :FSAL :EVENT :Volume ganesha2 exported at : '/'
04/05/2017 18:59:03 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] glusterfs_create_export :FSAL :EVENT :Volume ganesha3 exported at : '/'
04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] lower_my_caps :NFS STARTUP :EVENT :CAP_SYS_RESOURCE was successfully removed for proper quota management in FSAL
04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] lower_my_caps :NFS STARTUP :EVENT :currenty set capabilities are: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap+ep
04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] Bind_sockets_V6 :DISP :WARN :Cannot bind RQUOTA tcp6 socket, error 98 (Address already in use)
04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] Bind_sockets :DISP :FATAL :Error binding to V6 interface. Cannot continue.
04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] unregister_fsal :FSAL :CRIT :Unregister FSAL GLUSTER with non-zero refcount=3
04/05/2017 18:59:09 : epoch 40f00000 : dhcp42-127.lab.eng.blr.redhat.com : ganesha.nfsd-17333[main] glusterfs_unload :FSAL :CRIT :FSAL Gluster unable to unload.  Dying ...


#/var/log/audit/audit.log

type=AVC msg=audit(1493900430.337:1467): avc:  denied  { name_bind } for  pid=28137 comm="ganesha.nfsd" src=8751 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket

type=AVC msg=audit(1493900510.810:1481): avc:  denied  { name_bind } for  pid=28253 comm="ganesha.nfsd" src=8751 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket




According to comment #1 of https://bugzilla.redhat.com/show_bug.cgi?id=1357508,
this issue seems to be fixed in Rhel 7.3

Comment 2 Manisha Saini 2017-05-05 11:43:37 UTC

On setting setsebool -P nis_enabled on ,No AVC's related to unreserved port were observed.
And on restarting nfs-ganesha service, the ganesha process came up on node.

Comment 12 Milos Malik 2017-05-17 09:31:15 UTC

I assumed that ganesha.conf file uses a non-default value of Rquota_Port.

Following SELinux denial appears in permissive mode:
----
type=PROCTITLE msg=audit(05/17/2017 11:27:07.835:826) : proctitle=bash -c nc -u -6 -l ::1 8750 
type=SOCKADDR msg=audit(05/17/2017 11:27:07.835:826) : saddr={ fam=inet6 laddr=::1 lport=8750 } 
type=SYSCALL msg=audit(05/17/2017 11:27:07.835:826) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x658c60 a2=0x80 a3=0x7ffdad5b9440 items=0 ppid=1707 pid=5447 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=nc exe=/usr/bin/ncat subj=system_u:system_r:ganesha_t:s0 key=(null) 
type=AVC msg=audit(05/17/2017 11:27:07.835:826) : avc:  denied  { name_bind } for  pid=5447 comm=nc src=8750 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1 
----

Using a fake reproducer:
# runcon system_u:system_r:ganesha_t:s0 bash -c 'nc -u -6 -l ::1 8750'

Comment 51 errata-xmlrpc 2017-08-01 15:26:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.