[Bugs] [Bug 1456265] New: SELinux blocks nfs-ganesha-lock service installed on Gluster

bugzilla at redhat.com bugzilla at redhat.com
Sun May 28 14:22:45 UTC 2017 

https://bugzilla.redhat.com/show_bug.cgi?id=1456265

            Bug ID: 1456265
           Summary: SELinux blocks nfs-ganesha-lock service installed on
                    Gluster
           Product: GlusterFS
           Version: 3.10
         Component: ganesha-nfs
          Severity: medium
          Assignee: bugs at gluster.org
          Reporter: ad.ruckel at gmail.com
                CC: bugs at gluster.org



Description of problem:
When you start nfs-ganesha.service then nfs-ganesha-lock.service fails (when
SELinux is enabled).

Version-Release number of selected component (if applicable):
CentOS 3.10.0-514.21.1.el7.x86_64
glusterfs*    3.10.1-1.el7 (most current from centos-gluster310 repo)
nfs-ganesha*  2.4.5-1.el7 (most current from centos-gluster310 repo)

How reproducible:
Follow this thread to install Gluster and Ganesha:
http://lists.gluster.org/pipermail/gluster-users/2017-May/031256.html

Steps to Reproduce:
1.Reboot
2.systemctl start nfs-ganesha.service

Additional info:
Please find attached AVCs and version numbers. AVCs are collected
between two reboots, in both cases I manually started
nfs-ganesha.service and nfs-ganesha-lock.service failed to start.

---------

uname -r

3.10.0-514.21.1.el7.x86_64



sestatus -v

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Process contexts:
Current context:               
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0

File contexts:
Controlling terminal:           unconfined_u:object_r:user_tty_device_t:s0
/etc/passwd                     system_u:object_r:passwd_file_t:s0
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/agetty                    system_u:object_r:getty_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0



sudo systemctl start nfs-ganesha.service

systemctl status -l nfs-ganesha-lock.service 

● nfs-ganesha-lock.service - NFS status monitor for NFSv2/3 locking.
   Loaded: loaded (/usr/lib/systemd/system/nfs-ganesha-lock.service; static;
vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2017-05-28 14:12:48 UTC; 9s ago
  Process: 1991 ExecStart=/usr/sbin/rpc.statd --no-notify $STATDARGS
(code=exited, status=1/FAILURE)

mynode0.localdomain systemd[1]: Starting NFS status monitor for NFSv2/3
locking....
mynode0.localdomain rpc.statd[1992]: Version 1.3.0 starting
mynode0.localdomain rpc.statd[1992]: Flags: TI-RPC
mynode0.localdomain rpc.statd[1992]: Failed to open directory sm: Permission
denied
mynode0.localdomain systemd[1]: nfs-ganesha-lock.service: control process
exited, code=exited status=1
mynode0.localdomain systemd[1]: Failed to start NFS status monitor for NFSv2/3
locking..
mynode0.localdomain systemd[1]: Unit nfs-ganesha-lock.service entered failed
state.
mynode0.localdomain systemd[1]: nfs-ganesha-lock.service failed.



sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i

----
type=SYSCALL msg=audit(05/28/2017 14:04:32.160:25) : arch=x86_64 syscall=bind
success=yes exit=0 a0=0xf a1=0x7ffc757feb60 a2=0x10 a3=0x22 items=0 ppid=1149
pid=1157 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=glusterd
exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(05/28/2017 14:04:32.160:25) : avc:  denied  { name_bind }
for  pid=1157 comm=glusterd src=61000 scontext=system_u:system_r:glusterd_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket 
----
type=SYSCALL msg=audit(05/28/2017 14:11:16.141:26) : arch=x86_64 syscall=bind
success=no exit=EACCES(Permission denied) a0=0xf a1=0x7ffffbf92620 a2=0x10
a3=0x22 items=0 ppid=1139 pid=1146 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0
key=(null) 
type=AVC msg=audit(05/28/2017 14:11:16.141:26) : avc:  denied  { name_bind }
for  pid=1146 comm=glusterd src=61000 scontext=system_u:system_r:glusterd_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket 
----
type=SYSCALL msg=audit(05/28/2017 14:12:48.068:75) : arch=x86_64 syscall=openat
success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c
a1=0x7efdc1ec3e10 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0
ppid=1991 pid=1992 auid=unset uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.statd
exe=/usr/sbin/rpc.statd subj=system_u:system_r:rpcd_t:s0 key=(null) 
type=AVC msg=audit(05/28/2017 14:12:48.068:75) : avc:  denied  { read } for 
pid=1992 comm=rpc.statd name=sm dev="fuse" ino=12866274077597183313
scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fusefs_t:s0
tclass=dir 
----
type=SYSCALL msg=audit(05/28/2017 14:12:48.080:76) : arch=x86_64 syscall=open
success=no exit=EACCES(Permission denied) a0=0x7efdc1ec3dd0 a1=O_RDONLY
a2=0x7efdc1ec3de8 a3=0x5 items=0 ppid=1991 pid=1992 auid=unset uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) ses=unset comm=rpc.statd exe=/usr/sbin/rpc.statd
subj=system_u:system_r:rpcd_t:s0 key=(null) 
type=AVC msg=audit(05/28/2017 14:12:48.080:76) : avc:  denied  { read } for 
pid=1992 comm=rpc.statd name=state dev="fuse" ino=12362789396445498341
scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fusefs_t:s0
tclass=file 
----
type=SYSCALL msg=audit(05/28/2017 14:17:37.177:26) : arch=x86_64 syscall=bind
success=no exit=EACCES(Permission denied) a0=0xf a1=0x7ffdfa768c70 a2=0x10
a3=0x22 items=0 ppid=1155 pid=1162 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0
key=(null) 
type=AVC msg=audit(05/28/2017 14:17:37.177:26) : avc:  denied  { name_bind }
for  pid=1162 comm=glusterd src=61000 scontext=system_u:system_r:glusterd_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket 
----
type=SYSCALL msg=audit(05/28/2017 14:17:46.401:56) : arch=x86_64 syscall=kill
success=no exit=EACCES(Permission denied) a0=0x560 a1=SIGKILL a2=0x7fd684000078
a3=0x0 items=0 ppid=1 pid=1167 auid=unset uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=glusterd
exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(05/28/2017 14:17:46.401:56) : avc:  denied  { sigkill } for 
pid=1167 comm=glusterd scontext=system_u:system_r:glusterd_t:s0
tcontext=system_u:system_r:cluster_t:s0 tclass=process 
----
type=SYSCALL msg=audit(05/28/2017 14:17:45.400:55) : arch=x86_64 syscall=kill
success=no exit=EACCES(Permission denied) a0=0x560 a1=SIGTERM a2=0x7fd684000038
a3=0x99 items=0 ppid=1 pid=1167 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=glusterd exe=/usr/sbin/glusterfsd subj=system_u:system_r:glusterd_t:s0
key=(null) 
type=AVC msg=audit(05/28/2017 14:17:45.400:55) : avc:  denied  { signal } for 
pid=1167 comm=glusterd scontext=system_u:system_r:glusterd_t:s0
tcontext=system_u:system_r:cluster_t:s0 tclass=process 
----
type=SYSCALL msg=audit(05/28/2017 14:18:56.024:67) : arch=x86_64 syscall=openat
success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c
a1=0x7ff662e9be10 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0
ppid=1949 pid=1950 auid=unset uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.statd
exe=/usr/sbin/rpc.statd subj=system_u:system_r:rpcd_t:s0 key=(null) 
type=AVC msg=audit(05/28/2017 14:18:56.024:67) : avc:  denied  { read } for 
pid=1950 comm=rpc.statd name=sm dev="fuse" ino=12866274077597183313
scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fusefs_t:s0
tclass=dir 
----
type=SYSCALL msg=audit(05/28/2017 14:18:56.034:68) : arch=x86_64 syscall=open
success=no exit=EACCES(Permission denied) a0=0x7ff662e9bdd0 a1=O_RDONLY
a2=0x7ff662e9bde8 a3=0x5 items=0 ppid=1949 pid=1950 auid=unset uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) ses=unset comm=rpc.statd exe=/usr/sbin/rpc.statd
subj=system_u:system_r:rpcd_t:s0 key=(null) 
type=AVC msg=audit(05/28/2017 14:18:56.034:68) : avc:  denied  { read } for 
pid=1950 comm=rpc.statd name=state dev="fuse" ino=12362789396445498341
scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:fusefs_t:s0
tclass=file

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the Bugs mailing list