1469133 – [GANESHA] While running posix compliance,cthon tests on ganesha mount selinux AVC's are observed

Bug 1469133 - [GANESHA] While running posix compliance,cthon tests on ganesha mount selinux AVC's are observed

Summary: [GANESHA] While running posix compliance,cthon tests on ganesha mount selinux...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	nfs-ganesha
Sub Component:
Version:	rhgs-3.3
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Kaleb KEITHLEY
QA Contact:	Manisha Saini
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1494382
TreeView+	depends on / blocked

Reported:	2017-07-10 12:54 UTC by Manisha Saini
Modified:	2021-06-10 12:33 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1494382 (view as bug list)
Environment:
Last Closed:	2018-12-06 02:40:03 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Manisha Saini 2017-07-10 12:54:41 UTC

Description of problem:

While running posix compliance,cthon tests on ganesha mount, lots of selinux AVC's are observed.
But the is passed without any failures

Version-Release number of selected component (if applicable):
# rpm -qa | grep ganesha
glusterfs-ganesha-3.8.4-32.el7rhgs.x86_64
nfs-ganesha-2.4.4-10.el7rhgs.x86_64
nfs-ganesha-gluster-2.4.4-10.el7rhgs.x86_64
nfs-ganesha-debuginfo-2.4.4-10.el7rhgs.x86_64

selinux-policy-targeted-3.13.1-165.el7.noarch


How reproducible:
Consistently

Steps to Reproduce:
1.Create 4 node ganesha cluster.
2.Create a volume and export it via v4.Set selinux to Enforcing mode
3.Run posix compliance and cthon tests on mount point

Actual results:
Test is passed both posix compliance and cthon.

But many selinux AVC's are observed in audit.log

type=PROCTITLE msg=audit(07/10/2017 08:22:30.916:19304) : proctitle=/usr/bin/ganesha.nfsd -L /var/log/ganesha.log -f /etc/ganesha/ganesha.conf -N NIV_EVENT -E 6441057429414346752 
type=SYSCALL msg=audit(07/10/2017 08:22:30.916:19304) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f383e905ba4 a1=0x7f37bb6ad510 a2=0x7f37bb6ad510 a3=0x2 items=0 ppid=1 pid=6187 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ganesha.nfsd exe=/usr/bin/ganesha.nfsd subj=system_u:system_r:ganesha_t:s0 key=(null) 
type=AVC msg=audit(07/10/2017 08:22:30.916:19304) : avc:  denied  { getattr } for  pid=6187 comm=ganesha.nfsd path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file 
----
type=PROCTITLE msg=audit(07/10/2017 08:22:29.815:19300) : proctitle=/usr/bin/ganesha.nfsd -L /var/log/ganesha.log -f /etc/ganesha/ganesha.conf -N NIV_EVENT -E 6441057429414346752 
type=SYSCALL msg=audit(07/10/2017 08:22:29.815:19300) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f383e905ba4 a1=0x7f37bfeb6530 a2=0x7f37bfeb6530 a3=0x6130323964376137 items=0 ppid=1 pid=6187 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ganesha.nfsd exe=/usr/bin/ganesha.nfsd subj=system_u:system_r:ganesha_t:s0 key=(null) 
type=AVC msg=audit(07/10/2017 08:22:29.815:19300) : avc:  denied  { getattr } for  pid=6187 comm=ganesha.nfsd path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file 
----
type=PROCTITLE msg=audit(07/10/2017 08:22:30.891:19302) : proctitle=/usr/bin/ganesha.nfsd -L /var/log/ganesha.log -f /etc/ganesha/ganesha.conf -N NIV_EVENT -E 6441057429414346752 
type=SYSCALL msg=audit(07/10/2017 08:22:30.891:19302) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f383e905ba4 a1=0x7f37beeb4530 a2=0x7f37beeb4530 a3=0x6130323964376137 items=0 ppid=1 pid=6187 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ganesha.nfsd exe=/usr/bin/ganesha.nfsd subj=system_u:system_r:ganesha_t:s0 key=(null) 
type=AVC msg=audit(07/10/2017 08:22:30.891:19302) : avc:  denied  { getattr } for  pid=6187 comm=ganesha.nfsd path=/dev/random dev="devtmpfs" ino=1032 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file 

Expected results:
No AVC's should be observed

Additional info:

Comment 2 Manisha Saini 2017-07-10 12:57:18 UTC

Lukas,

Can you please provide your comment for this Bug.
There is no functionality affect ,just these AVC's are observed in audit.log

Comment 5 Kaleb KEITHLEY 2017-08-16 12:44:58 UTC

please clone to rhel/selinux

Comment 9 Jiffin 2018-11-19 09:12:15 UTC

Requesting qe to re-validate the issue in the latest build since cloned rhel bug is already closed

Comment 10 Jilju Joy 2018-12-05 12:29:40 UTC

(In reply to Jiffin from comment #9)
> Requesting qe to re-validate the issue in the latest build since cloned rhel
> bug is already closed

Executed posix and cthon tests(basic, general,special, lock). Didn't observe any AVC in the nodes.

# rpm -qa | grep ganesha
nfs-ganesha-2.5.5-10.el7rhgs.x86_64
nfs-ganesha-gluster-2.5.5-10.el7rhgs.x86_64
glusterfs-ganesha-3.12.2-28.el7rhgs.x86_64

# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.13.1-229.el7_6.5.noarch
selinux-policy-3.13.1-229.el7_6.5.noarch

Note You need to log in before you can comment on or make changes to this bug.