Bug 1468575 - [GANESHA] Unable to export the volume via ganesha due to selinux denied AVC's
[GANESHA] Unable to export the volume via ganesha due to selinux denied AVC's
Status: VERIFIED
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: nfs-ganesha (Show other bugs)
3.3
Unspecified Unspecified
urgent Severity unspecified
: ---
: RHGS 3.3.0
Assigned To: Kaleb KEITHLEY
Manisha Saini
:
Depends On: 1468581
Blocks: 1417151
  Show dependency treegraph
 
Reported: 2017-07-07 08:30 EDT by Manisha Saini
Modified: 2017-07-14 09:19 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-166.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1468581 1468582 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Manisha Saini 2017-07-07 08:30:50 EDT
Description of problem:

Unable to export the volume via ganesha due to selinux denies AVC 

Version-Release number of selected component (if applicable):
# rpm -qa | grep ganesha
nfs-ganesha-gluster-2.4.4-10.el7rhgs.x86_64
nfs-ganesha-debuginfo-2.4.4-10.el7rhgs.x86_64
glusterfs-ganesha-3.8.4-31.el7rhgs.x86_64
nfs-ganesha-2.4.4-10.el7rhgs.x86_64


How reproducible:
Consistently

Steps to Reproduce:
1.Create a 4 node ganesha cluster with selinux in permissive mode because of BZ 1466144
2.Set selinux to Enforcing mode.
3.Create and start an dist-replicate volume
4.Enable nfs-ganesha on the volume

Actual results:

Volume fails to get exported via ganesha because of selinux AVC observed in audit.log

type=USER_AVC msg=audit(07/22/2017 01:40:46.416:1226) : pid=920 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.313 spid=3131 tpid=5917 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
type=USER_AVC msg=audit(07/07/2017 15:43:01.925:2285) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
type=USER_AVC msg=audit(07/07/2017 15:44:01.269:2290) : pid=926 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd spid=17830 tpid=2324 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:ganesha_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 

Expected results:
Volume should be exported successfully

Additional info:
Comment 3 Manisha Saini 2017-07-07 08:46:09 EDT
# rpm -qa | grep selinux
libselinux-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-164.el7.noarch
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
libselinux-2.5-11.el7.i686
selinux-policy-3.13.1-164.el7.noarch
Comment 7 Manisha Saini 2017-07-14 09:19:53 EDT
Verified this bug on-

# rpm -qa | grep selinux
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch
libselinux-2.5-11.el7.i686
selinux-policy-3.13.1-166.el7.noarch


# rpm -qa | grep ganesha
nfs-ganesha-gluster-2.4.4-15.el7rhgs.x86_64
nfs-ganesha-2.4.4-15.el7rhgs.x86_64
glusterfs-ganesha-3.8.4-33.el7rhgs.x86_64


No AVC's are being observed while exporting the volume.Volume is exported successfully when selinux is in Enforcing mode.Moving this bug to verified state.

Note You need to log in before you can comment on or make changes to this bug.