Bug 820843 - mountbroker initiated umounts fail with EACCES on RHS systems. (due to SELinux)
Summary: mountbroker initiated umounts fail with EACCES on RHS systems. (due to SELinux)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: glusterfs
Version: 2.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: Release Candidate
: RHGS 2.0.0
Assignee: Anthony Towns
QA Contact: Vijaykumar Koppad
URL:
Whiteboard:
Depends On:
Blocks: 817967
TreeView+ depends on / blocked
 
Reported: 2012-05-11 07:34 UTC by Amar Tumballi
Modified: 2015-05-15 18:38 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 811672
Environment:
Last Closed: 2012-11-13 06:07:35 UTC
Embargoed:

Attachments (Terms of Use)

Description Amar Tumballi 2012-05-11 07:34:15 UTC 
+++ This bug was initially created as a clone of Bug #811672 +++

Description of problem:

Mountbroker is a service provided by glusterd that can be used to request certain (pre-configured) glusterfs mounts and unmount them.

Mountbroker mounts succeed, but the unmount part fails with EACCES on RHEL-6.2 -- it seems to be caused by RHEL-specific security settings. Invoking umount(8) from shell (with same arguments as passed by glusterd) we succeed.

Version-Release number of selected component (if applicable):


How reproducible:

Deterministically.

Steps to Reproduce:

1. Set up mountbroker as described in RHS User Guide 9.2.5.2. (you may omit the creation of geogroup and the corresponding "option geo-replication-log-group geogroup" volume option)

2. mount the volume (here I use "slavevol", as in above doc) through mountbroker with following command:

# gluster system:: mount geoaccount user-map-root=geoaccount xlator-option=\*-dht.assert-no-child-down=true volfile-server=localhost volfile-id=slavevol client-pid=-1

This will give you back a path of the form /var/mountbroker-root/mb_hive/<mount id>

3. take down the above mount through mountbroker with following command:

# gluster system:: umount /var/mountbroker-root/mb_hive/<mount id>
  
Actual results:

We get back the message "umount failed" and the above command exits with 1.

Expected results:

We don't get any output and the above command exits with 0.

Additional info:

Stracing glusterd with following command:

# strace -s500 -f -eumount -p `cat /var/run/glusterd.pid`

displays

... umount("/var/mountbroker-root/mb_hive/mntTOKUsE", 0) = -1 EACCES (Permission denied)

--- Additional comment from csaba on 2012-04-11 12:59:48 EDT ---

For your ease, the RHS url:

http://docs.redhat.com/docs/en-US/Red_Hat_Storage/2/html/User_Guide/ch09s02s05s02.html

--- Additional comment from jdarcy on 2012-04-11 13:07:42 EDT ---

Anything in the audit log?

--- Additional comment from enakai on 2012-05-09 05:07:31 EDT ---

I suspect this is caused by SELinux. Here's the audit log.

-----
May  9 09:01:30 rhs20b2-02 kernel: type=1400 audit(1336554090.683:5): avc:  denied  { read } for  pid=2130 comm="umount" name="mnt48dS2M" dev=vda2 ino=29940 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
-----

And because of this, geo-replication with an unprivileged user, such as below, fails.

# gluster vol geo-replication vol01 geoaccount@rhs20b2-02::vol01_slave


A workaround is to "setenforce 0", but the final resolution should be an appropriate context labeling....
Comment 1 Anthony Towns 2012-05-24 23:01:18 UTC 
selinux disabled on iso as of RHS-2.0-20120524.n.0-RHS-x86_64-DVD1.iso
Comment 2 Vijaykumar Koppad 2012-06-09 09:19:49 UTC 
Since SELinux is disabled as of RHS-2.0-20120524.n.0-RHS-x86_64-DVD1.iso, we don't get the environment whgere this bug can be produced. And mountbroker works fine without SELinux.
Note You need to log in before you can comment on or make changes to this bug.