[Bugs] [Bug 1162125] New: glusterd can't create /var/run/glusterd.socket when SELinux is in enforcing mode

bugzilla at redhat.com bugzilla at redhat.com
Mon Nov 10 10:34:36 UTC 2014


https://bugzilla.redhat.com/show_bug.cgi?id=1162125

            Bug ID: 1162125
           Summary: glusterd can't create /var/run/glusterd.socket when
                    SELinux is in enforcing mode
           Product: GlusterFS
           Version: 3.6.0
         Component: glusterd
          Assignee: bugs at gluster.org
          Reporter: nils at breun.nl
                CC: bugs at gluster.org, gluster-bugs at redhat.com



Description of problem:

After installing the glusterfs-server RPM packages via yum on EL7 with SELinux
in enforcing mode glusterd tries to start, but fails. Changing the SELinux for
/var/run/glusterd.socket to glusterd_var_run_t fixes this.

Version-Release number of selected component (if applicable):

3.6.1-1.el7.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. Enable SELinux in enforcing mode on EL7
2. Intall glusterfs-server

Actual results:

glusterd fails to start and setroubleshoot e-mails the following information
(we have it set up to do so):

----
SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that glusterfsd should be allowed write access on the  sock_file
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep glusterd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:glusterd_t:s0
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                 [ sock_file ]
Source                        glusterd
Source Path                   /usr/sbin/glusterfsd
Port                          <Unknown>
Host                          <hostname>
Source RPM Packages           glusterfs-3.5.2-1.el7.x86_64
                             glusterfs-3.6.1-1.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-153.el7_0.11.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <hostname>
Platform                      Linux <hostname>
                             3.10.0-123.9.2.el7.x86_64 #1 SMP Tue Oct 28
                             18:05:26 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-11-10 11:01:52 CET
Last Seen                     2014-11-10 11:01:52 CET
Local ID                      648efa6e-4a07-4cea-9e57-bf35a19af460

Raw Audit Messages
type=AVC msg=audit(1415613712.270:36592): avc:  denied  { write } for 
pid=14251 comm="glusterd" name="glusterd.socket" dev="tmpfs" ino=16965404
scontext=system_u:system_r:glusterd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1415613712.270:36592): arch=x86_64 syscall=connect
success=no exit=EACCES a0=c a1=7fffcabfe970 a2=6e a3=7fffcabfe8ec items=0
ppid=14250 pid=14251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=glusterd exe=/usr/sbin/glusterfsd
subj=system_u:system_r:glusterd_t:s0 key=(null)

Hash: glusterd,glusterd_t,var_run_t,sock_file,write
----


Expected results:

glusterd should start without any problems.

Additional info:

We use the following workaround, setting the SELinux type of
/var/run/glusterd.socket to glusterd_var_run_t, instead of the default
var_run_t that is used for files in /var/run:

----
# semanage fcontext --add --type glusterd_var_run_t /var/run/glusterd.socket
# restorecon /var/run/glusterd.socket
# systemctl start glusterd
----

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.


More information about the Bugs mailing list