Description of problem: ----------------------- While adding the webhook, gluster-eventsapi throws traceback and also AVC was found Version-Release number of selected component (if applicable): -------------------------------------------------------------- RHEL 7.7 ( 3.10.0-1062.12.1.el7.x86_64 ) glusterfs-events-6.0-29.el7rhgs.x86_64 selinux-policy-3.13.1-252.el7_7.6.noarch libselinux-2.5-14.1.el7.x86_64 libselinux-utils-2.5-14.1.el7.x86_64 selinux-policy-targeted-3.13.1-252.el7_7.6.noarch libselinux-python-2.5-14.1.el7.x86_64 How reproducible: ------------------- Always Steps to Reproduce: -------------------- 1. Add a webhook using gluster-eventsapi Actual results: --------------- AVC found Expected results: ----------------- No AVC to be found Additional info: ---------------- [root@rhsqa-grafton10-nic2 ~]# gluster-eventsapi webhook-add http://hostedenginesm4.lab.eng.blr.redhat.com:80/ovirt-engine/services/glusterevents Traceback (most recent call last): File "/usr/sbin/gluster-eventsapi", line 670, in <module> runcli() File "/usr/lib/python2.7/site-packages/gluster/cliutils/cliutils.py", line 225, in runcli cls.run(args) File "/usr/sbin/gluster-eventsapi", line 333, in run sync_to_peers(args) File "/usr/sbin/gluster-eventsapi", line 194, in sync_to_peers out = execute_in_peers("node-reload") File "/usr/lib/python2.7/site-packages/gluster/cliutils/cliutils.py", line 127, in execute_in_peers raise GlusterCmdException((rc, out, err, " ".join(cmd))) gluster.cliutils.cliutils.GlusterCmdException: (1, '', 'Unable to end. Error : Success\n', 'gluster system:: execute eventsapi.py node-reload') Snip from /var/log/audit/audit.log ----------------------------------- <snip> type=AVC msg=audit(1580298791.445:10615): avc: denied { signal } for pid=19613 comm="peer_eventsapi." scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 type=SYSCALL msg=audit(1580298791.445:10615): arch=c000003e syscall=62 success=no exit=-13 a0=b96 a1=c a2=0 a3=7ffd3f48c760 items=0 ppid=57024 pid=19613 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="peer_eventsapi." exe="/usr/bin/python2.7" subj=system_u:system_r:glusterd_t:s0 key=(null) </snip>
This bug looks the same as found and fixed earlier in RHEL 7 https://bugzilla.redhat.com/show_bug.cgi?id=1379963
(In reply to SATHEESARAN from comment #1) > This bug looks the same as found and fixed earlier in RHEL 7 > https://bugzilla.redhat.com/show_bug.cgi?id=1379963 which was fixed in selinux-policy-3.13.1-102.el7_3.13 as per bug 1408128 Milos, can you check if the AVC denial here is another missing policy?
Tested on RHEL-7.8: # rpm -qa selinux\* selinux-policy-targeted-3.13.1-266.el7.noarch selinux-policy-3.13.1-266.el7.noarch # sesearch -s glusterd_t -t unconfined_service_t -c process -p signal -A -C -D # I believe that SELinux policy is missing some rule, but we should first find out which process (causing the AVC) runs as unconfined_service_t.
(In reply to Milos Malik from comment #3) > Tested on RHEL-7.8: > > # rpm -qa selinux\* > selinux-policy-targeted-3.13.1-266.el7.noarch > selinux-policy-3.13.1-266.el7.noarch > # sesearch -s glusterd_t -t unconfined_service_t -c process -p signal -A -C > -D > # > > I believe that SELinux policy is missing some rule, but we should first find > out which process (causing the AVC) runs as unconfined_service_t. Hello Milos, Let me know, if you need any help with the setup or anything else. I could help you
This issue is not seen with RHEL 8 based RHHI-V (i.e) RHHI-V 1.8.z But the issue still exists with RHHI-V 1.7. Again, this issue is primarily hit during the CLI deployment of RHHI-V 1.7 and that deployment is not supported with 1.7. With these reasons, this bug will be closed as the issue is resolved with 1.8 ( with RHV 4.4. and RHEL 8.x )