Description of problem: While setting up ganesha cluster AVC's denied messages (setpgid, name_bind) are observed in audit.log No functionality impact is observed. Ganesha cluster comes up and running Version-Release number of selected component (if applicable): # rpm -qa | grep ganesha nfs-ganesha-2.4.4-15.el7rhgs.x86_64 nfs-ganesha-gluster-2.4.4-15.el7rhgs.x86_64 glusterfs-ganesha-3.8.4-33.el7rhgs.x86_64 selinux-policy-3.13.1-166.el7.noarch How reproducible: Consistently Steps to Reproduce: 1.Create a 2 node ganesha cluster using Gdeploy 2.Check for AVC's in audit.log ============ # ausearch -m avc -m user_avc -m selinux_err -i -ts recent ---- type=PROCTITLE msg=audit(07/17/2017 16:27:21.661:2447) : proctitle=/usr/sbin/glusterd -p /var/run/glusterd.pid --log-level INFO type=SYSCALL msg=audit(07/17/2017 16:27:21.661:2447) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xf a1=0x7f13001f3290 a2=0x10 a3=0x7e items=0 ppid=1 pid=1086 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(07/17/2017 16:27:21.661:2447) : avc: denied { name_bind } for pid=1086 comm=glusterd src=61000 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket ---- type=PROCTITLE msg=audit(07/17/2017 16:28:39.187:2910) : proctitle=/usr/sbin/crm_resource --show-metadata ocf:heartbeat:ganesha_nfsd type=SYSCALL msg=audit(07/17/2017 16:28:39.187:2910) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x7ffcb407f7f0 items=0 ppid=6348 pid=6349 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=crm_resource exe=/usr/sbin/crm_resource subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(07/17/2017 16:28:39.187:2910) : avc: denied { setpgid } for pid=6349 comm=crm_resource scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=process ---- type=PROCTITLE msg=audit(07/17/2017 16:28:39.559:2911) : proctitle=/usr/sbin/crm_resource --show-metadata ocf:heartbeat:ganesha_mon type=SYSCALL msg=audit(07/17/2017 16:28:39.559:2911) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x7ffe68bbd8a0 items=0 ppid=6359 pid=6360 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=crm_resource exe=/usr/sbin/crm_resource subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(07/17/2017 16:28:39.559:2911) : avc: denied { setpgid } for pid=6360 comm=crm_resource scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=process ---- type=PROCTITLE msg=audit(07/17/2017 16:28:44.929:2912) : proctitle=/usr/sbin/crm_resource --show-metadata ocf:heartbeat:ganesha_grace type=SYSCALL msg=audit(07/17/2017 16:28:44.929:2912) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x7fffcb4d01b0 items=0 ppid=6430 pid=6431 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=crm_resource exe=/usr/sbin/crm_resource subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(07/17/2017 16:28:44.929:2912) : avc: denied { setpgid } for pid=6431 comm=crm_resource scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=process ---- ===================== Actual results: AVC's denied messages (setpgid, name_bind) were observed Expected results: No AVC's denied messages should be observed in audit.log while setting up ganesha cluster Additional info:
please clone bug to rhel/selinux
Tested this with latest build of RHGS 3.5.1 on RHEL8.Issue is no longer observed # rpm -qa | grep selinux python3-libselinux-2.9-3.el8.x86_64 selinux-policy-targeted-3.14.3-41.el8_2.2.noarch selinux-policy-3.14.3-41.el8_2.2.noarch libselinux-utils-2.9-3.el8.x86_64 rpm-plugin-selinux-4.14.2-37.el8.x86_64 libselinux-2.9-3.el8.x86_64 nfs-ganesha-selinux-2.7.3-15.el8rhgs.noarch container-selinux-2.124.0-1.module+el8.2.0+6368+cf16aa14.noarch # rpm -qa | grep ganesha nfs-ganesha-debugsource-2.7.3-15.el8rhgs.x86_64 nfs-ganesha-gluster-debuginfo-2.7.3-15.el8rhgs.x86_64 nfs-ganesha-debuginfo-2.7.3-15.el8rhgs.x86_64 glusterfs-ganesha-6.0-35.el8rhgs.x86_64 nfs-ganesha-2.7.3-15.el8rhgs.x86_64 nfs-ganesha-selinux-2.7.3-15.el8rhgs.noarch nfs-ganesha-gluster-2.7.3-15.el8rhgs.x86_64