[CentOS-devel] NFS Ganesha (Storage SIG) node fails to boot after fencing

Mon Nov 23 12:55:39 UTC 2020
Kaleb Keithley <kkeithle at redhat.com>

On Sat, Nov 21, 2020 at 4:48 PM Strahil Nikolov <hunter86_bg at yahoo.com>
wrote:

> Hi All,
>
> I have been testing EL8 + NFS Ganesha 3 (from CentOS Storage SIG) and
> Gluster v8 (tested both Storage SIG rpms and built from source ) and I have
> noticed a bug in the SELINUX policy causing the system to fail to boot
> after the node is fenced until a kernel parameter 'enforcing=0' is passed.
>
> The reason seems to be the link "/var/lib/nfs" pointing to the shared
> storage.When the cluster software is stopped gracefully, no issues are
> observed,as the nfs_setup resource restores /var/lib/nfs .
>
> Should I open a bug to bugzilla.redhat.com or it's specific to CentOS
> only ?
>

Off hand I don't think that's a bug in the nfs-ganesha-selinux package.
I've asked the cluster (pacemaker, etc.) devs and the selinux devs what
they think. You asked about opening a BZ in bugzilla.redhat.com; but
https://github.com/gluster/glusterfs/issues is the correct place to report
gluster issues.

For this though I suggest opening an issue in
https://github.com/ClusterLabs/ somewhere, maybe
https://github.com/ClusterLabs/fence-agents/issues? So it doesn't get lost.


>
> More details:
> [root at glustere ~]# rpm -qa | grep ganesha | sort
> centos-release-nfs-ganesha30-1.0-2.el8.noarch
> glusterfs-ganesha-8.2-0.5.git77eb5e838.el8.x86_64
> nfs-ganesha-3.3-2.el8.x86_64
> nfs-ganesha-gluster-3.3-2.el8.x86_64
> nfs-ganesha-selinux-3.3-2.el8.noarch
>
> [root at glustere ~]# dmesg | grep -e type=1300 -e type=1400
> [   14.414782] audit: type=1400 audit(1605994499.985:3): avc:  denied  {
> getattr } for  pid=1 comm="systemd" path="/var/lib/nfs" dev="dm-0"
> ino=33596932 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=lnk_file permissive=1
>
> [root at glustere ~]# dmesg | grep -e type=1300 -e type=1400 | audit2allow
> -M my-systemd
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
>
>
> semodule -i my-systemd.pp
>
>
> [root at glustere ~]# cat my-systemd.te
>
>
> module my-systemd 1.0;
>
>
> require {
>         type var_lib_nfs_t;
>         type init_t;
>         class lnk_file getattr;
> }
>
>
> #============= init_t ==============
> allow init_t var_lib_nfs_t:lnk_file getattr;
>
>
> Best Regards,
> Strahil Nikolov
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20201123/d29a96e9/attachment-0006.html>