[CentOS-devel] NFS Ganesha (Storage SIG) node fails to boot after fencing

Mon Nov 23 13:54:18 UTC 2020
Kaleb Keithley <kkeithle at redhat.com>

Can you collect any AVC messages from /var/log/audit/audit.log or
/var/log/messsages, or dmesg on the host that would only boot after setting
enforcing=0?

Thanks

On Mon, Nov 23, 2020 at 7:55 AM Kaleb Keithley <kkeithle at redhat.com> wrote:

>
>
> On Sat, Nov 21, 2020 at 4:48 PM Strahil Nikolov <hunter86_bg at yahoo.com>
> wrote:
>
>> Hi All,
>>
>> I have been testing EL8 + NFS Ganesha 3 (from CentOS Storage SIG) and
>> Gluster v8 (tested both Storage SIG rpms and built from source ) and I have
>> noticed a bug in the SELINUX policy causing the system to fail to boot
>> after the node is fenced until a kernel parameter 'enforcing=0' is passed.
>>
>> The reason seems to be the link "/var/lib/nfs" pointing to the shared
>> storage.When the cluster software is stopped gracefully, no issues are
>> observed,as the nfs_setup resource restores /var/lib/nfs .
>>
>> Should I open a bug to bugzilla.redhat.com or it's specific to CentOS
>> only ?
>>
>
> Off hand I don't think that's a bug in the nfs-ganesha-selinux package.
> I've asked the cluster (pacemaker, etc.) devs and the selinux devs what
> they think. You asked about opening a BZ in bugzilla.redhat.com; but
> https://github.com/gluster/glusterfs/issues is the correct place to
> report gluster issues.
>
> For this though I suggest opening an issue in
> https://github.com/ClusterLabs/ somewhere, maybe
> https://github.com/ClusterLabs/fence-agents/issues? So it doesn't get
> lost.
>
>
>>
>> More details:
>> [root at glustere ~]# rpm -qa | grep ganesha | sort
>> centos-release-nfs-ganesha30-1.0-2.el8.noarch
>> glusterfs-ganesha-8.2-0.5.git77eb5e838.el8.x86_64
>> nfs-ganesha-3.3-2.el8.x86_64
>> nfs-ganesha-gluster-3.3-2.el8.x86_64
>> nfs-ganesha-selinux-3.3-2.el8.noarch
>>
>> [root at glustere ~]# dmesg | grep -e type=1300 -e type=1400
>> [   14.414782] audit: type=1400 audit(1605994499.985:3): avc:  denied  {
>> getattr } for  pid=1 comm="systemd" path="/var/lib/nfs" dev="dm-0"
>> ino=33596932 scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=lnk_file permissive=1
>>
>> [root at glustere ~]# dmesg | grep -e type=1300 -e type=1400 | audit2allow
>> -M my-systemd
>> ******************** IMPORTANT ***********************
>> To make this policy package active, execute:
>>
>>
>> semodule -i my-systemd.pp
>>
>>
>> [root at glustere ~]# cat my-systemd.te
>>
>>
>> module my-systemd 1.0;
>>
>>
>> require {
>>         type var_lib_nfs_t;
>>         type init_t;
>>         class lnk_file getattr;
>> }
>>
>>
>> #============= init_t ==============
>> allow init_t var_lib_nfs_t:lnk_file getattr;
>>
>>
>> Best Regards,
>> Strahil Nikolov
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20201123/82b47e50/attachment-0006.html>