[Bugs] [Bug 1369006] New: [SELinux]: Volume is not getting exported after enabling ganesha on the volume.

bugzilla at redhat.com bugzilla at redhat.com
Mon Aug 22 10:25:03 UTC 2016 

https://bugzilla.redhat.com/show_bug.cgi?id=1369006

            Bug ID: 1369006
           Summary: [SELinux]: Volume is not getting exported after
                    enabling ganesha on the volume.
           Product: GlusterFS
           Version: 3.8.2
         Component: ganesha-nfs
          Severity: urgent
          Assignee: bugs at gluster.org
          Reporter: sraj at redhat.com
                CC: bugs at gluster.org, jthottan at redhat.com,
                    kkeithle at redhat.com, ndevos at redhat.com,
                    skoduri at redhat.com, storage-qa-internal at redhat.com



Description of problem:

[SELinux]: Volume is not getting exported after enabling ganesha on the volume.

Version-Release number of selected component (if applicable):

[root at dhcp43-116 exports]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

[root at dhcp43-116 exports]# rpm -qa|grep glusterfs
glusterfs-fuse-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-libs-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-client-xlators-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-api-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-cli-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-server-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-geo-replication-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64
glusterfs-ganesha-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64

[root at dhcp43-116 exports]# rpm -qa|grep ganesha
nfs-ganesha-gluster-next.20160813.2f47e8a-1.el7.centos.x86_64
nfs-ganesha-next.20160813.2f47e8a-1.el7.centos.x86_64
nfs-ganesha-debuginfo-next.20160813.2f47e8a-1.el7.centos.x86_64
glusterfs-ganesha-3.8.2-0.1.gitd33aa0b.el7rhgs.x86_64

[root at dhcp43-116 exports]# rpm -qa|grep selinux
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-60.el7_2.7.noarch
libselinux-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-60.el7_2.7.noarch


How reproducible:

Always

Steps to Reproduce:

1. Create a volume and start it

[root at dhcp43-116 ~]# gluster volume create myvolume replica 2
10.70.43.116:/bricks/brick0/b0 10.70.43.88:/bricks/brick0/b0
10.70.42.47:/bricks/brick0/b0 10.70.42.237:/bricks/brick0/b0 
volume create: myvolume: success: please start the volume to access data

[root at dhcp43-116 ~]# gluster vol start myvolume
volume start: myvolume: success

2. Enable ganesha on the volume

[root at dhcp43-116 ~]# gluster vol set myvolume ganesha.enable on
volume set: success

3. Observe that export file gets created under /etc/ganesha/exports

[root at dhcp43-116 ~]# cd /etc/ganesha/exports/
[root at dhcp43-116 exports]# ls
export.myvolume.conf

4. But showmount -e localhost doesn't show the exported volume.

[root at dhcp43-116 exports]# showmount -e localhost
Export list for localhost:

5. Following denial AVC's are seen in audit.log

type=USER_AVC msg=audit(1471880435.035:5194): pid=649 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
denied  { send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr
member=AddExport dest=org.ganesha.nfsd spid=17041 tpid=9169
scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1471880506.444:5196): pid=649 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
denied  { send_msg } for msgtype=method_call
interface=org.ganesha.nfsd.exportmgr member=RemoveExport dest=org.ganesha.nfsd
spid=17605 tpid=9169 scontext=system_u:system_r:glusterd_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon"
sauid=81 hostname=? addr=? terminal=?'


Actual results:

Volume is not getting exported after enabling ganesha on the volume.

Expected results:

There should not be any denial AVC's and volume should get exported without any
issues.

Additional info:

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the Bugs mailing list