Bug 1715503 - [samba-selinux] CTDB status unhealthy after upgrade to samba-4.9.8-102
Summary: [samba-selinux] CTDB status unhealthy after upgrade to samba-4.9.8-102
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: samba
Version: rhgs-3.5
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: RHGS 3.5.0
Assignee: Guenther Deschner
QA Contact: Vivek Das
URL:
Whiteboard:
Depends On: 1716400
Blocks: 1696809
TreeView+ depends on / blocked
 
Reported: 2019-05-30 13:58 UTC by Vivek Das
Modified: 2019-10-30 12:18 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.13.1-250.el7, samba-4.9.8-103.el7rhgs
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1716400 (view as bug list)
Environment:
Last Closed: 2019-10-30 12:18:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1716400 'medium' 'CLOSED' '[samba-selinux] CTDB unable to start due to SELinux AVC denial messages' 2019-11-13 17:38:07 UTC
Red Hat Product Errata RHSA-2019:3253 None None None 2019-10-30 12:18:41 UTC

Description Vivek Das 2019-05-30 13:58:18 UTC
Description of problem:
After upgrading to samba-4.9.8-102 version ctdb status remains unhealthy through out with the below error in log.ctdb.

Version-Release number of selected component (if applicable):
RHEL7.7
samba-4.9.8-102
glusterfs-6.0-3  
Selinux - Enforcing

How reproducible:
Always

Steps to Reproduce:
1. Have a ctdb healthy setup with live samba packages
2. Upgrade to samba-4.9.8-102
3. watch ctdb status

Actual results:
CTDB unhealthy post upgrade

Expected results:
CTDB should be healthy post upgrade

Additional info:
With Selinux in permissive mode ctdb comes back to healthy state.
audit.log
type=SYSCALL msg=audit(1559223530.599:244): arch=c000003e syscall=2 success=no exit=-13 a0=7ffddf385f00 a1=42 a2=180 a3=7ffddf384280 items=0 ppid=3332 pid=14656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdb_mutex_fcnt" exe="/usr/libexec/ctdb/ctdb_mutex_fcntl_helper" subj=system_u:system_r:ctdbd_t:s0 key=(null)
type=PROCTITLE msg=audit(1559223530.599:244): proctitle=2F7573722F6C6962657865632F637464622F637464625F6D757465785F66636E746C5F68656C706572002F676C75737465722F6C6F636B2F6C6F636B66696C65
type=AVC msg=audit(1559223532.062:245): avc:  denied  { write } for  pid=14686 comm="ctdb_mutex_fcnt" name="lock" dev="dm-0" ino=51218602 scontext=system_u:system_r:ctdbd_t:s0 tcon


log.ctdb
2019/05/30 13:44:48.729568 ctdb-eventd[3005]: 50.samba: messaging_dgm_init: messaging_dgm_create_lockfile failed: Permission denied
2019/05/30 13:44:48.729588 ctdb-eventd[3005]: 50.samba: messaging_dgm_ref failed: Permission denied
2019/05/30 13:44:48.729608 ctdb-eventd[3005]: 50.samba: Unable to initialize messaging context!
2019/05/30 13:44:48.729628 ctdb-eventd[3005]: 50.samba: Failed to set smb ports

Comment 14 errata-xmlrpc 2019-10-30 12:18:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3253


Note You need to log in before you can comment on or make changes to this bug.