This bug was initially created as a copy of Bug #1955415 I am copying this bug because: glusterd related AVC denials are usually handled within glusterfs-selinux package. Description of problem: After RHVH is upgraded to the latest 4.4.6, there are AVC denied errors in audit.log Version-Release number of selected component (if applicable): RHVM: 4.4.6.5-0.17.el8ev RHVH: redhat-virtualization-host-4.4.6-20210426.0.el8_4 RHGS: glusterfs-selinux-1.0-4.el8rhgs.noarch RHEL: selinux-policy-3.14.3-67.el8.noarch , selinux-policy-targeted-3.14.3-67.el8.noarch How reproducible 100% Steps to Reproduce: 1. Install RHVH-4.4-20210331.0-RHVH-x86_64-dvd1.iso 2. Add host to RHVM 3. Login to host, setup local repos and point to "redhat-virtualization-host-4.4.6-20210426.0.el8_4" 4. Remove audit.log before upgrade # mv /var/log/audit/audit.log /var/log/audit/audit.log.bak 5. Upgrade the host via RHVM 6. Check avc denied info in audit.log after upgrade # grep 'avc: denied' /var/log/audit/audit.log Actual results: There are AVC denied errors in audit.log ~~~~~~ # grep 'avc: denied' /var/log/audit/audit.log type=AVC msg=audit(1619768225.841:76): avc: denied { create } for pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1619768225.841:77): avc: denied { create } for pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1619753841.383:100): avc: denied { write } for pid=5708 comm="NetworkManager" path="/var/tmp/dracut.bN9njs/systemd-cat" dev="dm-8" ino=12583537 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0 ~~~~~~ Expected results: After upgrade, there is no AVC denied error in audit.log Additional info:
I have tested the same with RHVH 4.4.6. This happens when updating from RHVH 4.4.5 to 4.4.6, but the same AVCs are not seen with the fresh installation and deployment of RHHI-V 1.8.5 on RHVH 4.4.6
Again there are no functional loss seen with these AVCs
Tested with glusterfs-selinux-1.0-5.el8rhgs with RHVH 4.4.8 interim build (RHVH-4.4-20210818.0-RHVH-x86_64-dvd1.iso) There are no AVC messages seen related to RDMA when restarting glusterd. This was verified with the steps: 1. Installed RHVH 4.4.5 and everytime restarting glusterd introduced AVC denials for RDMA <snip> type=AVC msg=audit(1629772417.256:33): avc: denied { create } for pid=1182 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 type=AVC msg=audit(1629772417.256:34): avc: denied { create } for pid=1182 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0 </snip> 2. Upgraded the RHVH 4.4.5 to RHVH 4.4.8 and installed glusterfs-selinux-1.0-5.el8rhgs, rebooted the node. After the RHVH node is up, restarting glusterd had no AVC denials reported.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHGS 3.5.z Batch Update 5 glusterfs bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3729