[Bugs] [Bug 1162125] New: glusterd can't create /var/run/glusterd.socket when SELinux is in enforcing mode
bugzilla at redhat.com
bugzilla at redhat.com
Mon Nov 10 10:34:36 UTC 2014
https://bugzilla.redhat.com/show_bug.cgi?id=1162125
Bug ID: 1162125
Summary: glusterd can't create /var/run/glusterd.socket when
SELinux is in enforcing mode
Product: GlusterFS
Version: 3.6.0
Component: glusterd
Assignee: bugs at gluster.org
Reporter: nils at breun.nl
CC: bugs at gluster.org, gluster-bugs at redhat.com
Description of problem:
After installing the glusterfs-server RPM packages via yum on EL7 with SELinux
in enforcing mode glusterd tries to start, but fails. Changing the SELinux for
/var/run/glusterd.socket to glusterd_var_run_t fixes this.
Version-Release number of selected component (if applicable):
3.6.1-1.el7.x86_64
How reproducible:
Always.
Steps to Reproduce:
1. Enable SELinux in enforcing mode on EL7
2. Intall glusterfs-server
Actual results:
glusterd fails to start and setroubleshoot e-mails the following information
(we have it set up to do so):
----
SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that glusterfsd should be allowed write access on the sock_file
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep glusterd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:glusterd_t:s0
Target Context unconfined_u:object_r:var_run_t:s0
Target Objects [ sock_file ]
Source glusterd
Source Path /usr/sbin/glusterfsd
Port <Unknown>
Host <hostname>
Source RPM Packages glusterfs-3.5.2-1.el7.x86_64
glusterfs-3.6.1-1.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.el7_0.11.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <hostname>
Platform Linux <hostname>
3.10.0-123.9.2.el7.x86_64 #1 SMP Tue Oct 28
18:05:26 UTC 2014 x86_64 x86_64
Alert Count 1
First Seen 2014-11-10 11:01:52 CET
Last Seen 2014-11-10 11:01:52 CET
Local ID 648efa6e-4a07-4cea-9e57-bf35a19af460
Raw Audit Messages
type=AVC msg=audit(1415613712.270:36592): avc: denied { write } for
pid=14251 comm="glusterd" name="glusterd.socket" dev="tmpfs" ino=16965404
scontext=system_u:system_r:glusterd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1415613712.270:36592): arch=x86_64 syscall=connect
success=no exit=EACCES a0=c a1=7fffcabfe970 a2=6e a3=7fffcabfe8ec items=0
ppid=14250 pid=14251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=glusterd exe=/usr/sbin/glusterfsd
subj=system_u:system_r:glusterd_t:s0 key=(null)
Hash: glusterd,glusterd_t,var_run_t,sock_file,write
----
Expected results:
glusterd should start without any problems.
Additional info:
We use the following workaround, setting the SELinux type of
/var/run/glusterd.socket to glusterd_var_run_t, instead of the default
var_run_t that is used for files in /var/run:
----
# semanage fcontext --add --type glusterd_var_run_t /var/run/glusterd.socket
# restorecon /var/run/glusterd.socket
# systemctl start glusterd
----
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
More information about the Bugs
mailing list