SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-34.1.43-1.el9.noarch ---- time->Tue Nov 15 07:41:38 2022 type=PROCTITLE msg=audit(1668494498.824:1722): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570 type=PATH msg=audit(1668494498.824:1722): item=0 name="/mnt/gfs2-ctdb/public" inode=4657 dev=fd:02 mode=040755 ouid=1002 ogid=1002 rdev=00:00 obj=system_u:object_r:samba_share_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1668494498.824:1722): cwd="/" type=SYSCALL msg=audit(1668494498.824:1722): arch=c000003e syscall=89 success=no exit=-22 a0=7ffe2febea20 a1=7ffe2febe5c0 a2=3ff a3=40 items=1 ppid=86685 pid=87408 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1668494498.824:1722): avc: denied { search } for pid=87408 comm="smbd" name="/" dev="dm-2" ino=4656 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 15 07:42:52 2022 type=PROCTITLE msg=audit(1668494572.903:2166): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570 type=PATH msg=audit(1668494572.903:2166): item=0 name="/mnt/gfs2-ctdb/public" inode=4657 dev=fd:02 mode=040755 ouid=1002 ogid=1002 rdev=00:00 obj=system_u:object_r:samba_share_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1668494572.903:2166): cwd="/" type=SYSCALL msg=audit(1668494572.903:2166): arch=c000003e syscall=89 success=no exit=-22 a0=7ffe7f07a7f0 a1=7ffe7f07a390 a2=3ff a3=7f4134153c80 items=1 ppid=89074 pid=89081 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1668494572.903:2166): avc: denied { search } for pid=89081 comm="smbd" name="/" dev="dm-2" ino=4656 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Hi Michal, How were these files /mnt/gfs2-ctdb/public created? The unlabeled_t label is usually displayed when a file was created in SELinux disabled state or when its actual label does not currently exist.
(In reply to Nikola Knazekova from comment #1) > Hi Michal, > > How were these files /mnt/gfs2-ctdb/public created? > > The unlabeled_t label is usually displayed when a file was created in > SELinux disabled state or when its actual label does not currently exist. This is how /mnt/gfs2-ctdb `ls` looks: [root@virt-242 ~]# ls -laZ /mnt/gfs2-ctdb total 20 drwxr-xr-x. 4 root root system_u:object_r:unlabeled_t:s0 3864 Feb 6 15:21 . drwxr-xr-x. 9 root root system_u:object_r:mnt_t:s0 119 Feb 6 15:09 .. drwxr-xr-x. 2 root root system_u:object_r:ctdbd_var_run_t:s0 3864 Feb 6 15:53 ctdb drwxr-xr-x. 2 smbguest smbguest system_u:object_r:samba_share_t:s0 3864 Feb 6 15:21 public The flow when AVC happens is: scenarios.CTDB_IPv4 INFO pass: Activate vg shared scenarios.CTDB_IPv4 INFO pass: Make sure /mnt/gfs2-ctdb is not mounted. scenarios.CTDB_IPv4 INFO pass: Create /mnt/gfs2-ctdb directory. scenarios.CTDB_IPv4 INFO pass: Mount /mnt/gfs2-ctdb scenarios.CTDB_IPv4 INFO pass: Create /mnt/gfs2-ctdb/ctdb/ directory. scenarios.CTDB_IPv4 INFO pass: Create /mnt/gfs2-ctdb/public/ directory. scenarios.CTDB_IPv4 INFO pass: Change owner of /mnt/gfs2-ctdb/public/. scenarios.CTDB_IPv4 INFO pass: Change permissions of /mnt/gfs2-ctdb/public/. scenarios.CTDB_IPv4 INFO pass: Change security context of /mnt/gfs2-ctdb/ctdb/. scenarios.CTDB_IPv4 INFO pass: Change security context of /mnt/gfs2-ctdb/public/. scenarios.CTDB_IPv4 INFO pass: Umount /mnt/gfs2-ctdb /mnt/gfs2-ctdb is gfs2 filesystem.
Hi, after investigation I am closing this bug as NOTABUG. This behaviour is expected and filesystems have to be mounted with selinux context: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-mounting_file_systems