Description of problem: Unable to take the statedumps of ganesha process while selinux is in Enforcing mode. With selinux in PERMISSIVE mode,I am able to take the statedumps Version-Release number of selected component (if applicable): # rpm -qa | grep ganesha nfs-ganesha-2.4.4-16.el7rhgs.x86_64 glusterfs-ganesha-3.8.4-41.el7rhgs.x86_64 nfs-ganesha-gluster-2.4.4-16.el7rhgs.x86_64 selinux-policy-3.13.1-166.el7.noarch How reproducible: Consistently Steps to Reproduce: 1.Setup ganesha cluster 2.Create a volume.Export the volume via nfs-ganesha 3.Take statedump of ganesha process from one of the node # gluster v statedump ganeshavol1 client localhost:1929 volume statedump: success Actual results: Command gets sucess. But the statedumps are not generated. Following AVC's are been observed in audit.log # ausearch -m avc -m user_avc -m selinux_err -i -ts recent ---- type=PROCTITLE msg=audit(08/21/2017 12:58:25.221:33014) : proctitle=/usr/bin/ganesha.nfsd -L /var/log/ganesha.log -f /etc/ganesha/ganesha.conf -N NIV_EVENT -E 6455631531146739712 type=SYSCALL msg=audit(08/21/2017 12:58:25.221:33014) : arch=x86_64 syscall=open success=yes exit=52 a0=0x7fb76f881c60 a1=O_RDWR|O_CREAT|O_EXCL a2=0600 a3=0x0 items=0 ppid=1 pid=1929 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ganesha.nfsd exe=/usr/bin/ganesha.nfsd subj=system_u:system_r:ganesha_t:s0 key=(null) type=AVC msg=audit(08/21/2017 12:58:25.221:33014) : avc: denied { dac_override } for pid=1929 comm=ganesha.nfsd capability=dac_override scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:system_r:ganesha_t:s0 tclass=capability Expected results: With selinux in Enforcing mode, statedump should work for ganesha process Additional info:
Soumya, When root user is added as a part of "gluster" group,The issue still persist.
Proposing this as a blocker. This feature was not there in 3.2.In 3.3 with one of the earlier builds it used to work.Some patch which came in between broke this functionality.
Created attachment 1316504 [details] Proposed fix
Suggested fix diff --git a/src/scripts/systemd/nfs-ganesha.service b/src/scripts/systemd/nfs-ganesha.service index 634b042..4db3241 100644 --- a/src/scripts/systemd/nfs-ganesha.service +++ b/src/scripts/systemd/nfs-ganesha.service @@ -31,6 +31,7 @@ ExecStop=/bin/dbus-send --system --dest=org.ganesha.nfsd --type=method_call /o Restart=on-failure RestartSec=3 RestartPreventExitStatus=SIGABRT SIGKILL SIGSEGV +SupplementaryGroups=gluster [Install] WantedBy=multi-user.target
Fix mentioned in c#9 is a way to work around current issue for the time being. The actual fix may be needed in SELinux. For that we are waiting input from them on bz1483451 and can be consider for the furture releases.
Verified this bug on # rpm -qa | grep ganesha glusterfs-ganesha-3.8.4-41.el7rhgs.x86_64 nfs-ganesha-2.4.4-17.el7rhgs.x86_64 nfs-ganesha-gluster-2.4.4-17.el7rhgs.x86_64 # getenforce Enforcing # pgrep ganesha 26800 # gluster v statedump ganeshavol1 client localhost:26800 volume statedump: success # ll | grep glusterdump -rw-------. 1 root root 103537 Aug 23 23:37 glusterdump.26800.dump.1503511641 -rw-------. 1 root root 103537 Aug 23 23:38 glusterdump.26800.dump.1503511725 Moving this bug to verified state.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2779