[Gluster-users] SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file

Thu Feb 19 15:09:31 UTC 2015

I've had issues with the glusterd and glusterfsd sockets getting labeled
var_run_t instead of glusterd_var_run_t.

To fix your problem:

   1. Update your hosts to the latest SELinux policy
   2. Set SELinux to enforcing
   3. Stop any running glusterd or glusterfsd processes.  (i.e. systemctl
   stop glusterd; pkill -f gluster)
   4. Remove any old socket files from /var/run ( rm -f /var/run/*.socket )
   5. Start gluster ( systemctl start glusterd )
   6. Check that the sockets were created with a context that gluster can
   access. ( ls -Z /var/run/*.socket )  types of glusterd_var_run_t

Gluster is only allowed to write to the following socket types:
sesearch -A -C -s glusterd_t -c sock_file -p write
Found 18 semantic av rules:
   allow domain setrans_var_run_t : sock_file { write getattr append open }
;
   allow glusterd_t dirsrv_var_run_t : sock_file { write getattr append
open } ;
   allow glusterd_t nscd_var_run_t : sock_file { write getattr append open
} ;
   allow glusterd_t nslcd_var_run_t : sock_file { write getattr append open
} ;
   allow glusterd_t avahi_var_run_t : sock_file { write getattr append open
} ;
   allow glusterd_t slapd_var_run_t : sock_file { write getattr append open
} ;
   allow glusterd_t sssd_var_lib_t : sock_file { write getattr append open
} ;
   allow glusterd_t glusterd_var_lib_t : sock_file { ioctl read write
create getattr setattr lock append unlink link rename open } ;
   allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write
create getattr setattr lock append unlink link rename open } ;
   allow glusterd_t winbind_var_run_t : sock_file { write getattr append
open } ;
   allow glusterd_t devlog_t : sock_file { write getattr append open } ;
   allow glusterd_t glusterd_tmp_t : sock_file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
   allow glusterd_t lsassd_var_socket_t : sock_file { write getattr append
open } ;
   allow daemon abrt_var_run_t : sock_file { write getattr append open } ;
DT allow daemon cluster_pid : sock_file { write getattr append open } ; [
daemons_enable_cluster_mode ]
EF allow glusterd_t nscd_var_run_t : sock_file { write getattr append open
} ; [ nscd_use_shm ]
DT allow glusterd_t nscd_var_run_t : sock_file { ioctl read write getattr
lock append open } ; [ nscd_use_shm ]
ET allow glusterd_t pcscd_var_run_t : sock_file { write getattr append open
} ; [ allow_kerberos ]

Even when the sockets are labeled correctly, a user-initiated relabel can
break Gluster.

[root at hostname run]# pwd
/var/run
[root at hostname run]# ls -Z *.socket
srwx------. root root staff_u:object_r:glusterd_var_run_t:s0
30d920e9fce88a5555e66a86e85c1d9b.socket
srwx------. root root staff_u:object_r:glusterd_var_run_t:s0
8416f5dc522a14421afdf0f100a6947d.socket
srwx------. root root staff_u:object_r:glusterd_var_run_t:s0
85dc678b993d76ebc8ab2fb3f13a7c03.socket
srwx------. root root staff_u:object_r:glusterd_var_run_t:s0 glusterd.socket
[root at hostname run]# restorecon -v *.socket
restorecon reset /var/run/30d920e9fce88a5555e66a86e85c1d9b.socket context
staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0
restorecon reset /var/run/8416f5dc522a14421afdf0f100a6947d.socket context
staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0
restorecon reset /var/run/85dc678b993d76ebc8ab2fb3f13a7c03.socket context
staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0

On Thu, Feb 19, 2015 at 8:43 AM, Nathanaël Blanchet <blanchet at abes.fr>
wrote:

> On freshly installed el7 hosts, selinux prevents gluster from running.
> Setting selinux to permissive or building the relative .pp module resolves
> the issue.
> Does otopi configure selinux for gluster when installing?
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://www.gluster.org/mailman/listinfo/gluster-users
>

-- 
Jeremy Young <jrm16020 at gmail.com>, M.S., RHCSA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.gluster.org/pipermail/gluster-users/attachments/20150219/1e76eff2/attachment.html>