[Bugs] [Bug 1210404] [SELinux] [BVT]: Selinux throws AVC errors while running DHT automation on Rhel6.6
bugzilla at redhat.com
bugzilla at redhat.com
Fri May 22 08:45:49 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1210404
Anand Nekkunti <anekkunt at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags|needinfo?(mmalik at redhat.com |
|) |
|needinfo?(anekkunt at redhat.c |
|om) |
--- Comment #25 from Anand Nekkunti <anekkunt at redhat.com> ---
(In reply to Prasanth from comment #24)
> (In reply to Anand Nekkunti from comment #23)
> > I am running the restorecon -vR /var/run/glusterd* command during
> > glusterfs post upgrade , is it solve this problem ?
> > I have sent the patch for that
> > http://review.gluster.org/#/c/10815/1/glusterfs.spec.in
>
> These AVC's are generated only after we manually try to start 'glusterd'
> after the rpm installation. Based on my testing, what I understand is that,
> if we do a proper clean-up after rpm installation,
> '/var/run/glusterd.socket' file wouldn't exist in the system and throw these
> AVC's after we start glusterd manually.
>
> The 'glusterd.socket' file is first created by rpm scriptlet as part of a
> start and stop operation done in the post upgrade script to re-generate the
> configuration files. During the process it gets a wrong label of "var_run_t"
> as we don't have filename transition rules in RHEL-6. So the write access
> [1] and unlink access [2] required on the sock_file
> '/var/run/glusterd.socket' while manually starting 'glusterd' is prevented
> by SELinux, which is what we see in AVC's. However, the thing to be noted is
> that, on starting 'glusterd' using '#service glusterd start' or
> '#/etc/init.d/glusterd start', it actually regains the right label of
> "glusterd_var_run_t".
>
> So the fix that you posted in [3] is actually trying to do a 'restorecon' on
> the leftover 'glusterd.socket' file to avoid these AVC's. But instead, if we
> actually do a proper clean-up post rpm installation, this file that leads to
> this situation, wouldn't exists at all. Please go through my comment and see
> if my understand is correct and it makes sense. Meanwhile, i'll open a new
> BZ for cleaning up the left-over socket file!
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1214253
>
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1214258
>
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1210404
>
>
> Additional Info:
> #####
> [root at dhcp42-246 run]# rpm -qa |grep gluster
> glusterfs-fuse-3.7.0-2.el6rhs.x86_64
> glusterfs-libs-3.7.0-2.el6rhs.x86_64
> glusterfs-client-xlators-3.7.0-2.el6rhs.x86_64
> glusterfs-api-3.7.0-2.el6rhs.x86_64
> glusterfs-3.7.0-2.el6rhs.x86_64
> glusterfs-cli-3.7.0-2.el6rhs.x86_64
> glusterfs-server-3.7.0-2.el6rhs.x86_64
>
> [root at dhcp42-246 run]# /etc/init.d/glusterd status
> glusterd is stopped
>
> [root at dhcp42-246 run]# ls -lZ glusterd.socket
> srwxr-xr-x. root root unconfined_u:object_r:var_run_t:s0 glusterd.socket
>
> [root at dhcp42-246 run]# /etc/init.d/glusterd start
> Starting glusterd: [ OK ]
>
> [root at dhcp42-246 run]# ls -lZ glusterd.socket
> srwxr-xr-x. root root unconfined_u:object_r:glusterd_var_run_t:s0
> glusterd.socket
>
> [root at dhcp42-246 run]# /etc/init.d/glusterd status
> glusterd (pid 5278) is running...
> #####
>
> -Prasanth
Actually these files should be unlink during glusterd stop, but we have some
cleanup issues, so it is not doing that, I have sent patch to do proper clean
while exiting glusterd(http://review.gluster.org/#/c/10758/) but it makes
other components fails(other components have cleanup issues), We are working
that.
As you told,we can cleanup these files during rpm post upgrade so that glusterd
recreate the files with proper context when it runs in gluaterd_t context.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=bgIo8XuIuL&a=cc_unsubscribe
More information about the Bugs
mailing list