1452699 – Brick Multiplexing:Seeing AVC denials on brick mux setup

Bug 1452699 - Brick Multiplexing:Seeing AVC denials on brick mux setup

Summary: Brick Multiplexing:Seeing AVC denials on brick mux setup

Keywords:
Status:	CLOSED DUPLICATE of bug 1369420
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	core
Sub Component:
Version:	rhgs-3.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Vijay Bellur
QA Contact:	Rahul Hinduja
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-19 13:34 UTC by Nag Pavan Chilakam
Modified:	2017-08-31 13:28 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-19 13:42:51 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nag Pavan Chilakam 2017-05-19 13:34:46 UTC

Description of problem:
======================
in my brick mux setup with 50 1x3 volumes I have noticed some avc denials as below


n1:
time->Tue May 16 14:48:32 2017
type=SYSCALL msg=audit(1494926312.466:10979): arch=c000003e syscall=49 success=no exit=-13 a0=f a1=7fff8d9fec10 a2=10 a3=22 items=0 ppid=31115 pid=31116 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1494926312.466:10979): avc:  denied  { name_bind } for  pid=31116 comm="glusterd" src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
----
time->Tue May 16 14:49:30 2017
type=SYSCALL msg=audit(1494926370.487:10990): arch=c000003e syscall=49 success=no exit=-13 a0=11 a1=7f367bffea40 a2=10 a3=22 items=0 ppid=1 pid=31629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1494926370.487:10990): avc:  denied  { name_bind } for  pid=31629 comm="glusterd" src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
----
time->Tue May 16 18:55:12 2017
type=SYSCALL msg=audit(1494941112.090:12922): arch=c000003e syscall=49 success=no exit=-13 a0=11 a1=7f8e701fa8e0 a2=10 a3=7e items=0 ppid=1 pid=4961 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1494941112.090:12922): avc:  denied  { name_bind } for  pid=4961 comm="glusterd" src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
----
time->Wed May 17 19:26:13 2017
type=SYSCALL msg=audit(1495029373.420:548): arch=c000003e syscall=49 success=no exit=-13 a0=11 a1=7f057c1f72a0 a2=10 a3=7e items=0 ppid=1 pid=3282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1495029373.420:548): avc:  denied  { name_bind } for  pid=3282 comm="glusterd" src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

n2:

----
time->Tue May 16 15:14:15 2017
type=SYSCALL msg=audit(1494927855.243:42784): arch=c000003e syscall=49 success=no exit=-13 a0=f a1=7ffe7df023c0 a2=10 a3=22 items=0 ppid=4975 pid=4976 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1494927855.243:42784): avc:  denied  { name_bind } for  pid=4976 comm="glusterd" src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
----
time->Tue May 16 18:55:13 2017
type=SYSCALL msg=audit(1494941113.357:44512): arch=c000003e syscall=49 success=no exit=-13 a0=10 a1=7fdfe8200f50 a2=10 a3=7e items=0 ppid=1 pid=7763 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1494941113.357:44512): avc:  denied  { name_bind } for  pid=7763 comm="glusterd" src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
----
time->Wed May 17 19:26:14 2017
type=SYSCALL msg=audit(1495029374.726:56076): arch=c000003e syscall=49 success=no exit=-13 a0=10 a1=7f0bcc3feb10 a2=10 a3=7e items=0 ppid=1 pid=21897 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1495029374.726:56076): avc:  denied  { name_bind } for  pid=21897 comm="glusterd" src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket


n3:
time->Tue May 16 14:49:30 2017
type=SYSCALL msg=audit(1494926370.527:42557): arch=c000003e syscall=49 success=no exit=-13 a0=11 a1=7f4b63ffea40 a2=10 a3=22 items=0 ppid=1 pid=3600 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1494926370.527:42557): avc:  denied  { name_bind } for  pid=3600 comm="glusterd" src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
----
time->Tue May 16 18:55:13 2017
type=SYSCALL msg=audit(1494941113.354:44487): arch=c000003e syscall=49 success=no exit=-13 a0=10 a1=7f8e18200e50 a2=10 a3=7e items=0 ppid=1 pid=7026 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1494941113.354:44487): avc:  denied  { name_bind } for  pid=7026 comm="glusterd" src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
----
time->Wed May 17 19:26:14 2017
type=SYSCALL msg=audit(1495029374.732:56041): arch=c000003e syscall=49 success=no exit=-13 a0=10 a1=7fc8d03fea10 a2=10 a3=7e items=0 ppid=1 pid=21092 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1495029374.732:56041): avc:  denied  { name_bind } for  pid=21092 comm="glusterd" src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
[root@dhcp35-122 glusterfs]# 



Version-Release number of selected component (if applicable):
====
3.8.4-25



On 17th March below actions were done:
I was performing some IOs on all the volumes such as renames.
The volumes were full and renames were failing.
however on one volume I kept deleting files but healing was not happening(an existing issue) 




Will attach the sosreports

Comment 2 Atin Mukherjee 2017-05-19 13:42:51 UTC


*** This bug has been marked as a duplicate of bug 1369420 ***

Comment 3 Nag Pavan Chilakam 2017-05-20 06:49:59 UTC

(In reply to Atin Mukherjee from comment #2)
> 
> *** This bug has been marked as a duplicate of bug 1369420 ***

There are denials for even glusterfsd as below
time->Tue May 16 15:14:15 2017
type=SYSCALL msg=audit(1494927855.243:42784): arch=c000003e syscall=49 success=no exit=-13 a0=f a1=7ffe7df023c0 a2=10 a3=22 items=0 ppid=4975 pid=4976 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)


While the BZ#1369420 talks about only glusterd denials

In which case it should be tracked seperately instead of marking as dup it

Comment 4 Atin Mukherjee 2017-05-20 08:43:04 UTC

Nag, please understand the there is no separate binary for glusterd and its a symlink of glusterfsd.

Note You need to log in before you can comment on or make changes to this bug.