[Bugs] [Bug 1210404] [SELinux] [BVT]: Selinux throws AVC errors while running DHT automation on Rhel6.6

bugzilla at redhat.com bugzilla at redhat.com
Fri May 22 06:59:52 UTC 2015 

https://bugzilla.redhat.com/show_bug.cgi?id=1210404

Prasanth <pprakash at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |needinfo?(anekkunt at redhat.c
                   |                            |om)



--- Comment #24 from Prasanth <pprakash at redhat.com> ---
(In reply to Anand Nekkunti from comment #23)
> I am  running the restorecon -vR /var/run/glusterd*  command during
> glusterfs post upgrade , is it solve this problem ? 
> I have sent the patch for that
> http://review.gluster.org/#/c/10815/1/glusterfs.spec.in

These AVC's are generated only after we manually try to start 'glusterd' after
the rpm installation. Based on my testing, what I understand is that, if we do
a proper clean-up after rpm installation, '/var/run/glusterd.socket' file
wouldn't exist in the system and throw these AVC's after we start glusterd
manually. 

The 'glusterd.socket' file is first created by rpm scriptlet as part of a start
and stop operation done in the post upgrade script to re-generate the
configuration files. During the process it gets a wrong label of "var_run_t" as
we don't have filename transition rules in RHEL-6. So the write access [1] and
unlink access [2] required on the sock_file '/var/run/glusterd.socket' while
manually starting 'glusterd' is prevented by SELinux, which is what we see in
AVC's. However, the thing to be noted is that, on starting 'glusterd' using
'#service glusterd start' or '#/etc/init.d/glusterd start', it actually regains
the right label of "glusterd_var_run_t". 

So the fix that you posted in [3] is actually trying to do a 'restorecon' on
the leftover 'glusterd.socket' file to avoid these AVC's. But instead, if we
actually do a proper clean-up post rpm installation, this file that leads to
this situation, wouldn't exists at all. Please go through my comment and see if
my understand is correct and it makes sense. Meanwhile, i'll open a new BZ for
cleaning up the left-over socket file!

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1214253

[2] https://bugzilla.redhat.com/show_bug.cgi?id=1214258

[3] https://bugzilla.redhat.com/show_bug.cgi?id=1210404


Additional Info:
#####
[root at dhcp42-246 run]# rpm -qa |grep gluster
glusterfs-fuse-3.7.0-2.el6rhs.x86_64
glusterfs-libs-3.7.0-2.el6rhs.x86_64
glusterfs-client-xlators-3.7.0-2.el6rhs.x86_64
glusterfs-api-3.7.0-2.el6rhs.x86_64
glusterfs-3.7.0-2.el6rhs.x86_64
glusterfs-cli-3.7.0-2.el6rhs.x86_64
glusterfs-server-3.7.0-2.el6rhs.x86_64

[root at dhcp42-246 run]# /etc/init.d/glusterd status
glusterd is stopped

[root at dhcp42-246 run]# ls -lZ glusterd.socket 
srwxr-xr-x. root root unconfined_u:object_r:var_run_t:s0 glusterd.socket

[root at dhcp42-246 run]# /etc/init.d/glusterd start
Starting glusterd:                                         [  OK  ]

[root at dhcp42-246 run]# ls -lZ glusterd.socket 
srwxr-xr-x. root root unconfined_u:object_r:glusterd_var_run_t:s0
glusterd.socket

[root at dhcp42-246 run]# /etc/init.d/glusterd status
glusterd (pid  5278) is running...
#####

-Prasanth

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=hqQ9qBLugC&a=cc_unsubscribe

More information about the Bugs mailing list