1715503 – [samba-selinux] CTDB status unhealthy after upgrade to samba-4.9.8-102

Bug 1715503 - [samba-selinux] CTDB status unhealthy after upgrade to samba-4.9.8-102

Summary: [samba-selinux] CTDB status unhealthy after upgrade to samba-4.9.8-102

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	samba
Sub Component:
Version:	rhgs-3.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	RHGS 3.5.0
Assignee:	Guenther Deschner
QA Contact:	Vivek Das
Docs Contact:
URL:
Whiteboard:
Depends On:	1716400
Blocks:	1696809
TreeView+	depends on / blocked

Reported:	2019-05-30 13:58 UTC by Vivek Das
Modified:	2019-10-30 12:18 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.13.1-250.el7, samba-4.9.8-103.el7rhgs
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1716400 (view as bug list)
Environment:
Last Closed:	2019-10-30 12:18:28 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1716400	0	medium	CLOSED	[samba-selinux] CTDB unable to start due to SELinux AVC denial messages	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHSA-2019:3253	0	None	None	None	2019-10-30 12:18:41 UTC

Description Vivek Das 2019-05-30 13:58:18 UTC

Description of problem:
After upgrading to samba-4.9.8-102 version ctdb status remains unhealthy through out with the below error in log.ctdb.

Version-Release number of selected component (if applicable):
RHEL7.7
samba-4.9.8-102
glusterfs-6.0-3  
Selinux - Enforcing

How reproducible:
Always

Steps to Reproduce:
1. Have a ctdb healthy setup with live samba packages
2. Upgrade to samba-4.9.8-102
3. watch ctdb status

Actual results:
CTDB unhealthy post upgrade

Expected results:
CTDB should be healthy post upgrade

Additional info:
With Selinux in permissive mode ctdb comes back to healthy state.
audit.log
type=SYSCALL msg=audit(1559223530.599:244): arch=c000003e syscall=2 success=no exit=-13 a0=7ffddf385f00 a1=42 a2=180 a3=7ffddf384280 items=0 ppid=3332 pid=14656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdb_mutex_fcnt" exe="/usr/libexec/ctdb/ctdb_mutex_fcntl_helper" subj=system_u:system_r:ctdbd_t:s0 key=(null)
type=PROCTITLE msg=audit(1559223530.599:244): proctitle=2F7573722F6C6962657865632F637464622F637464625F6D757465785F66636E746C5F68656C706572002F676C75737465722F6C6F636B2F6C6F636B66696C65
type=AVC msg=audit(1559223532.062:245): avc:  denied  { write } for  pid=14686 comm="ctdb_mutex_fcnt" name="lock" dev="dm-0" ino=51218602 scontext=system_u:system_r:ctdbd_t:s0 tcon


log.ctdb
2019/05/30 13:44:48.729568 ctdb-eventd[3005]: 50.samba: messaging_dgm_init: messaging_dgm_create_lockfile failed: Permission denied
2019/05/30 13:44:48.729588 ctdb-eventd[3005]: 50.samba: messaging_dgm_ref failed: Permission denied
2019/05/30 13:44:48.729608 ctdb-eventd[3005]: 50.samba: Unable to initialize messaging context!
2019/05/30 13:44:48.729628 ctdb-eventd[3005]: 50.samba: Failed to set smb ports

Comment 14 errata-xmlrpc 2019-10-30 12:18:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3253

Note You need to log in before you can comment on or make changes to this bug.