[Bugs] [Bug 1284179] New: Missing SELinux Type Enforcement rules for glusterfs-rdma server

bugzilla at redhat.com bugzilla at redhat.com
Sat Nov 21 14:12:43 UTC 2015 

https://bugzilla.redhat.com/show_bug.cgi?id=1284179

            Bug ID: 1284179
           Summary: Missing SELinux Type Enforcement rules for
                    glusterfs-rdma server
           Product: GlusterFS
           Version: 3.7.6
         Component: glusterd
          Severity: medium
          Assignee: bugs at gluster.org
          Reporter: rhel-bugzilla at bergseil.de
                CC: bugs at gluster.org, gluster-bugs at redhat.com



Description of problem:

When using glusterfs-server with glusterfs-rdma on a SELinux enabled system, a
volume using transport-type (tcp,)rdma can not be mounted by clients or
replicated between servers as long as glusterd ist started through
systemd/systemctl. However, manually starting glusterd as root and restarting
glusterfsd seems to work.

Version-Release number of selected component (if applicable):
3.7.6

How reproducible:
Always

Steps to Reproduce:
1. On two Systems with SELinux in Enforcing mode and Infiniband already set up,
install glusterfs-server and glsuterfs-rdma
2. Create a replicated volume with bricks on both servers
3. Start the volume with the force option
4. Restart gluster(fs)d using (on both servers):
4a.systemctl restart glusterfsd 
4b.systemctl restart glusterd

Actual results:

Volumes may be shown in gluster volume status, but are not accessible/mountable
by clients.

Expected results:
Volumes are replicated/accessible and mountable by clients.
Furthermore steps 4a and 4b are still needed using the workaround, but should
not according to the documentation.

Additional info:
Using audit2allow from the policycoreutils-python I generated the following
SELinux TE module for glusterfs and rdma transport-type on serverside:
#=========start=========
module gluster 1.0;

require {
    type unconfined_t;
    type glusterd_t;
    type infiniband_device_t;
    class process signal;
    class unix_stream_socket connectto;
    class capability ipc_lock;
    class chr_file { read write open };
}

#============= glusterd_t ==============

#!!!! This avc is allowed in the current policy
allow glusterd_t infiniband_device_t:chr_file { read write open };
allow glusterd_t self:capability ipc_lock;
allow glusterd_t unconfined_t:process signal;
allow glusterd_t unconfined_t:unix_stream_socket connectto;
#==========end==========

Using the pp files of the module and importing them on both servers (using
semodule -i) made the Volumes available/mountable after following steps 1 to
4b.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the Bugs mailing list