1468575 – [GANESHA] Unable to export the volume via ganesha due to selinux denied AVC's

Bug 1468575 - [GANESHA] Unable to export the volume via ganesha due to selinux denied AVC's

Summary: [GANESHA] Unable to export the volume via ganesha due to selinux denied AVC's

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	nfs-ganesha
Sub Component:
Version:	rhgs-3.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	unspecified
Target Milestone:	---
Target Release:	RHGS 3.3.0
Assignee:	Kaleb KEITHLEY
QA Contact:	Manisha Saini
Docs Contact:
URL:
Whiteboard:
Depends On:	1468581
Blocks:	1417151
TreeView+	depends on / blocked

Reported:	2017-07-07 12:30 UTC by Manisha Saini
Modified:	2017-09-25 11:22 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.13.1-166.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1468581 1468582 (view as bug list)
Environment:
Last Closed:	2017-09-25 11:22:12 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Manisha Saini 2017-07-07 12:30:50 UTC

Description of problem:

Unable to export the volume via ganesha due to selinux denies AVC 

Version-Release number of selected component (if applicable):
# rpm -qa | grep ganesha
nfs-ganesha-gluster-2.4.4-10.el7rhgs.x86_64
nfs-ganesha-debuginfo-2.4.4-10.el7rhgs.x86_64
glusterfs-ganesha-3.8.4-31.el7rhgs.x86_64
nfs-ganesha-2.4.4-10.el7rhgs.x86_64


How reproducible:
Consistently

Steps to Reproduce:
1.Create a 4 node ganesha cluster with selinux in permissive mode because of BZ 1466144
2.Set selinux to Enforcing mode.
3.Create and start an dist-replicate volume
4.Enable nfs-ganesha on the volume

Actual results:

Volume fails to get exported via ganesha because of selinux AVC observed in audit.log

type=USER_AVC msg=audit(07/22/2017 01:40:46.416:1226) : pid=920 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.313 spid=3131 tpid=5917 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
type=USER_AVC msg=audit(07/07/2017 15:43:01.925:2285) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
type=USER_AVC msg=audit(07/07/2017 15:44:01.269:2290) : pid=926 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=17830 tpid=2324 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:ganesha_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 

Expected results:
Volume should be exported successfully

Additional info:

Comment 3 Manisha Saini 2017-07-07 12:46:09 UTC

# rpm -qa | grep selinux
libselinux-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-164.el7.noarch
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
libselinux-2.5-11.el7.i686
selinux-policy-3.13.1-164.el7.noarch

Comment 7 Manisha Saini 2017-07-14 13:19:53 UTC

Verified this bug on-

# rpm -qa | grep selinux
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch
libselinux-2.5-11.el7.i686
selinux-policy-3.13.1-166.el7.noarch


# rpm -qa | grep ganesha
nfs-ganesha-gluster-2.4.4-15.el7rhgs.x86_64
nfs-ganesha-2.4.4-15.el7rhgs.x86_64
glusterfs-ganesha-3.8.4-33.el7rhgs.x86_64


No AVC's are being observed while exporting the volume.Volume is exported successfully when selinux is in Enforcing mode.Moving this bug to verified state.

Note You need to log in before you can comment on or make changes to this bug.