Bug 1471734 - [Ganesha] While setting up ganesha cluster AVC's denied messages (setpgid, name_bind) are observed in audit.log [NEEDINFO]
[Ganesha] While setting up ganesha cluster AVC's denied messages (setpgid, na...
Status: ASSIGNED
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: nfs-ganesha (Show other bugs)
3.3
Unspecified Unspecified
medium Severity unspecified
: ---
: ---
Assigned To: Kaleb KEITHLEY
Manisha Saini
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-17 07:08 EDT by Manisha Saini
Modified: 2017-08-16 08:42 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
kkeithle: needinfo? (msaini)


Attachments (Terms of Use)

  None (edit)
Description Manisha Saini 2017-07-17 07:08:40 EDT
Description of problem:

While setting up ganesha cluster AVC's denied messages (setpgid, name_bind) are observed in audit.log

 No functionality impact is observed. Ganesha cluster comes up and running

Version-Release number of selected component (if applicable):
# rpm -qa | grep ganesha
nfs-ganesha-2.4.4-15.el7rhgs.x86_64
nfs-ganesha-gluster-2.4.4-15.el7rhgs.x86_64
glusterfs-ganesha-3.8.4-33.el7rhgs.x86_64

selinux-policy-3.13.1-166.el7.noarch


How reproducible:
Consistently

Steps to Reproduce:
1.Create a 2 node ganesha cluster using Gdeploy
2.Check for AVC's in audit.log


============

# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
----
type=PROCTITLE msg=audit(07/17/2017 16:27:21.661:2447) : proctitle=/usr/sbin/glusterd -p /var/run/glusterd.pid --log-level INFO 
type=SYSCALL msg=audit(07/17/2017 16:27:21.661:2447) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xf a1=0x7f13001f3290 a2=0x10 a3=0x7e items=0 ppid=1 pid=1086 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 16:27:21.661:2447) : avc:  denied  { name_bind } for  pid=1086 comm=glusterd src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket 
----
type=PROCTITLE msg=audit(07/17/2017 16:28:39.187:2910) : proctitle=/usr/sbin/crm_resource --show-metadata ocf:heartbeat:ganesha_nfsd 
type=SYSCALL msg=audit(07/17/2017 16:28:39.187:2910) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x7ffcb407f7f0 items=0 ppid=6348 pid=6349 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=crm_resource exe=/usr/sbin/crm_resource subj=system_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 16:28:39.187:2910) : avc:  denied  { setpgid } for  pid=6349 comm=crm_resource scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=process 
----
type=PROCTITLE msg=audit(07/17/2017 16:28:39.559:2911) : proctitle=/usr/sbin/crm_resource --show-metadata ocf:heartbeat:ganesha_mon 
type=SYSCALL msg=audit(07/17/2017 16:28:39.559:2911) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x7ffe68bbd8a0 items=0 ppid=6359 pid=6360 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=crm_resource exe=/usr/sbin/crm_resource subj=system_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 16:28:39.559:2911) : avc:  denied  { setpgid } for  pid=6360 comm=crm_resource scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=process 
----
type=PROCTITLE msg=audit(07/17/2017 16:28:44.929:2912) : proctitle=/usr/sbin/crm_resource --show-metadata ocf:heartbeat:ganesha_grace 
type=SYSCALL msg=audit(07/17/2017 16:28:44.929:2912) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x7fffcb4d01b0 items=0 ppid=6430 pid=6431 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=crm_resource exe=/usr/sbin/crm_resource subj=system_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(07/17/2017 16:28:44.929:2912) : avc:  denied  { setpgid } for  pid=6431 comm=crm_resource scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=process 
----

=====================




Actual results:
AVC's denied messages (setpgid, name_bind) were observed

Expected results:
No AVC's denied messages should be observed in audit.log while setting up ganesha cluster

Additional info:
Comment 3 Kaleb KEITHLEY 2017-08-16 08:42:31 EDT
please clone bug to rhel/selinux

Note You need to log in before you can comment on or make changes to this bug.