Bug 1818783 - [RHEL8] [SELinux] CTDB is unhealthy with selinux set to Enforcing in RHEL-8.2
Summary: [RHEL8] [SELinux] CTDB is unhealthy with selinux set to Enforcing in RHEL-8.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: samba
Version: rhgs-3.5
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: RHGS 3.5.z Batch Update 2
Assignee: Anoop C S
QA Contact: Vivek Das
URL:
Whiteboard:
Depends On: 1819243 1821226
Blocks: 1786127
TreeView+ depends on / blocked
 
Reported: 2020-03-30 11:24 UTC by Vivek Das
Modified: 2020-06-16 05:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1819243 (view as bug list)
Environment:
Last Closed: 2020-06-16 05:46:58 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2574 0 None None None 2020-06-16 05:47:03 UTC

Description Vivek Das 2020-03-30 11:24:36 UTC 
Description of problem:
ctdb status is UNHEALTHY with below avc denied messages

type=AVC msg=audit(1585585164.848:7647): avc:  denied  { map } for  pid=104579 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0

type=AVC msg=audit(1585585164.848:7648): avc:  denied  { map } for  pid=104579 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0

With permissive mode ctdb is healthy.

Version-Release number of selected component (if applicable):
samba-4.11.6-105.el8rhgs.x86_64
RHEL-8.2
selinux-policy-3.14.3-40.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Setup RHGS-Samba in RHEL-8.2
2. Start CTDB
3.

Actual results:
ctdb status is unhealthy

Expected results:
ctdb status should be healthy

Additional info:
AVC denial messages
----------------------
type=AVC msg=audit(1585585428.380:7993): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/persistent/secrets.tdb.3" dev="dm-0" ino=69818 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1585585428.383:7994): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1585585428.383:7995): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1585585428.392:7996): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/persistent/secrets.tdb.3" dev="dm-0" ino=69818 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1585585428.392:7997): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1585585428.392:7998): avc:  denied  { map } for  pid=108075 comm="smbd" path="/var/lib/ctdb/volatile/g_lock.tdb.3" dev="dm-0" ino=33884292 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=0
Comment 12 errata-xmlrpc 2020-06-16 05:46:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2574
Note You need to log in before you can comment on or make changes to this bug.