[CentOS-devel] NFS Ganesha (Storage SIG) node fails to boot after fencing

Sat Nov 21 21:46:43 UTC 2020
Strahil Nikolov <hunter86_bg at yahoo.com>

Hi All,

I have been testing EL8 + NFS Ganesha 3 (from CentOS Storage SIG) and Gluster v8 (tested both Storage SIG rpms and built from source ) and I have noticed a bug in the SELINUX policy causing the system to fail to boot after the node is fenced until a kernel parameter 'enforcing=0' is passed.

The reason seems to be the link "/var/lib/nfs" pointing to the shared storage.When the cluster software is stopped gracefully, no issues are observed,as the nfs_setup resource restores /var/lib/nfs .

Should I open a bug to bugzilla.redhat.com or it's specific to CentOS only ?

More details:
[root at glustere ~]# rpm -qa | grep ganesha | sort
centos-release-nfs-ganesha30-1.0-2.el8.noarch
glusterfs-ganesha-8.2-0.5.git77eb5e838.el8.x86_64
nfs-ganesha-3.3-2.el8.x86_64
nfs-ganesha-gluster-3.3-2.el8.x86_64
nfs-ganesha-selinux-3.3-2.el8.noarch

[root at glustere ~]# dmesg | grep -e type=1300 -e type=1400
[   14.414782] audit: type=1400 audit(1605994499.985:3): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/var/lib/nfs" dev="dm-0" ino=33596932 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=lnk_file permissive=1

[root at glustere ~]# dmesg | grep -e type=1300 -e type=1400 | audit2allow -M my-systemd
******************** IMPORTANT ***********************
To make this policy package active, execute:


semodule -i my-systemd.pp


[root at glustere ~]# cat my-systemd.te 


module my-systemd 1.0;


require {
        type var_lib_nfs_t;
        type init_t;
        class lnk_file getattr;
}


#============= init_t ==============
allow init_t var_lib_nfs_t:lnk_file getattr;


Best Regards,
Strahil Nikolov