Bug 1544824 - [Ganesha] : Cluster creation fails on selinux enabled/enforced nodes.
Summary: [Ganesha] : Cluster creation fails on selinux enabled/enforced nodes.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: nfs-ganesha
Version: rhgs-3.4
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: RHGS 3.4.0
Assignee: Kaleb KEITHLEY
QA Contact: Manisha Saini
URL:
Whiteboard:
Depends On: 1544852
Blocks: 1503137
TreeView+ depends on / blocked
 
Reported: 2018-02-13 15:05 UTC by Ambarish
Modified: 2018-09-24 07:18 UTC (History)
10 users (show)

Fixed In Version: glusterfs-3.12.2-5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-04 06:42:41 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1544852 0 unspecified CLOSED build: glusterfs.spec %post ganesha is missing %{?rhel} test 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHSA-2018:2607 0 None None None 2018-09-04 06:43:59 UTC

Internal Links: 1544852

Description Ambarish 2018-02-13 15:05:28 UTC 
Description of problem:
-----------------------

gluster nfs-ganesha enable fails to create a Ganesha HA cluster on latest RHEL 7.5 Snapshot 3.

There's an AVC denial when I try to create a cluster :

type=AVC msg=audit(1518517089.008:203): avc:  denied  { search } for  pid=14039 comm="ganesha.nfsd" name="/" dev="fuse" ino=1 scontext=system_u:system_r:ganesha_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir



From ganesha.log :

13/02/2018 05:18:09 : epoch d6150000 : gqas004.sbu.lab.eng.bos.redhat.com : ganesha.nfsd-14038[main] main :MAIN :EVENT :ganesha.nfsd Starting: Ganesha Version 2.5.5
13/02/2018 05:18:09 : epoch d6150000 : gqas004.sbu.lab.eng.bos.redhat.com : ganesha.nfsd-14039[main] main :NFS STARTUP :CRIT :Error (token scan) while parsing (/etc/ganesha/ganesha.conf)
13/02/2018 05:18:09 : epoch d6150000 : gqas004.sbu.lab.eng.bos.redhat.com : ganesha.nfsd-14039[main] config_errs_to_log :CONFIG :CRIT :Config File (<unknown file>:0): new file (/etc/ganesha/ganesha.conf) open error (Permission denied), ignored
13/02/2018 05:18:09 : epoch d6150000 : gqas004.sbu.lab.eng.bos.redhat.com : ganesha.nfsd-14039[main] main :NFS STARTUP :FATAL :Fatal errors.  Server exiting...


Version-Release number of selected component (if applicable):
-------------------------------------------------------------

[root@gqas004 ~]# rpm -qa|grep ganesha
glusterfs-ganesha-3.12.2-3.el7rhgs.x86_64
nfs-ganesha-gluster-2.5.5-2.el7rhgs.x86_64

[root@gqas004 ~]# uname -r
3.10.0-845.el7.x86_64

[root@gqas004 ~]# rpm -qa|grep selinux
selinux-policy-targeted-3.13.1-189.el7.noarch
libselinux-2.5-12.el7.x86_64
libselinux-utils-2.5-12.el7.x86_64
libselinux-python-2.5-12.el7.x86_64
selinux-policy-3.13.1-189.el7.noarch




How reproducible:
------------------

2/2 (Manisha's and my setup)
Comment 2 Ambarish 2018-02-13 15:07:59 UTC 
On a fresh install (IIRC) ganesha_use_fusefs is supposed to be "on".

For some reason , we do no see this option as "on":

[root@gqas004 ~]# getsebool  ganesha_use_fusefs
ganesha_use_fusefs --> off
Comment 3 Ambarish 2018-02-13 15:08:50 UTC 
**Work Around** :


Set the boolean manually :

[root@gqas004 ~]# setsebool -P ganesha_use_fusefs on

[root@gqas004 ~]# getsebool  ganesha_use_fusefs
ganesha_use_fusefs --> on
[root@gqas004 ~]# 

Cluster creation is successful post this.
Comment 9 Manisha Saini 2018-04-03 05:43:08 UTC 
Verified this BZ with-

# rpm -qa | grep ganesha
nfs-ganesha-2.5.5-3.el7rhgs.x86_64
nfs-ganesha-gluster-2.5.5-3.el7rhgs.x86_64
glusterfs-ganesha-3.12.2-6.el7rhgs.x86_64


On fresh installation of ganesha packages in 3.4,ganesha_use_fusefs is ON by default.Ganesha cluster creation is successful.

# semanage boolean -l | grep ganesha
ganesha_use_fusefs             (on   ,   on)  Allow ganesha to use fusefs


Moving this BZ to verified state.
Comment 11 errata-xmlrpc 2018-09-04 06:42:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2607
Comment 12 Manisha Saini 2018-09-24 07:18:11 UTC 
Setting qe_test_coverage + with no testcase ID,since its been covered as part of every Ganesha test case
Note You need to log in before you can comment on or make changes to this bug.