[CentOS-devel] Multiple Geo Rep issues due to SELINUX on CentOS 8.3

Tue Jan 5 20:45:35 UTC 2021
Strahil Nikolov <hunter86_bg at yahoo.com>

Did anyone receive that e-mail ?
Any hints ?

Best Regards,
Strahil Nikolov

В 19:05 +0000 на 30.12.2020 (ср), Strahil Nikolov написа:
> Hello All,
> 
> I have been testing Geo Replication on Gluster v 8.3 ontop CentOS
> 8.3.
> It seems that everything works untill SELINUX is added to the
> equasion.
> 
> So far I have identified several issues on the Master Volume's nodes:
> - /usr/lib/ld-linux-x86-64.so.2 has a different SELINUX Context than
> the target that it is pointing to. For details check 
> https://bugzilla.redhat.com/show_bug.cgi?id=1911133
> 
> - SELINUX prevents /usr/bin/ssh from search access to
> /var/lib/glusterd/geo-replication/secret.pem
> 
> - SELinux is preventing /usr/bin/ssh from search access to .ssh
> 
> - SELinux is preventing /usr/bin/ssh from search access to
> /tmp/gsyncd-aux-ssh-tnwpw5tx/274d5d142b02f84644d658beaf86edae.sock
> 
> Note: Using 'semanage fcontext' doesn't work due to the fact that
> files created are inheriting the SELINUX context of the parent dir
> and you need to restorecon after every file creation by the geo-
> replication process.
> 
> - SELinux is preventing /usr/bin/rsync from search access on 
> .gfid/00000000-0000-0000-0000-000000000001
> 
> Obviously, those needs fixing before anyone is able to use Geo-
> Replication with SELINUX enabled on the "master" volume nodes.
> 
> Should I open a bugzilla at bugzilla.redhat.com for the selinux
> policy?
> 
> Further details:
> [root at glustera ~]# cat /etc/centos-release
> CentOS Linux release 8.3.2011
> 
> [root at glustera ~]# rpm -qa | grep selinux | sort
> libselinux-2.9-4.el8_3.x86_64
> libselinux-utils-2.9-4.el8_3.x86_64
> python3-libselinux-2.9-4.el8_3.x86_64
> rpm-plugin-selinux-4.14.3-4.el8.x86_64
> selinux-policy-3.14.3-54.el8.noarch
> selinux-policy-devel-3.14.3-54.el8.noarch
> selinux-policy-doc-3.14.3-54.el8.noarch
> selinux-policy-targeted-3.14.3-54.el8.noarch
> 
> [root at glustera ~]# rpm -qa | grep gluster | sort
> centos-release-gluster8-1.0-1.el8.noarch
> glusterfs-8.3-1.el8.x86_64
> glusterfs-cli-8.3-1.el8.x86_64
> glusterfs-client-xlators-8.3-1.el8.x86_64
> glusterfs-fuse-8.3-1.el8.x86_64
> glusterfs-geo-replication-8.3-1.el8.x86_64
> glusterfs-server-8.3-1.el8.x86_64
> libglusterd0-8.3-1.el8.x86_64
> libglusterfs0-8.3-1.el8.x86_64
> python3-gluster-8.3-1.el8.x86_64
> 
> 
> [root at glustera ~]# gluster volume info primary
>  
> Volume Name: primary
> Type: Distributed-Replicate
> Volume ID: 89903ca4-9817-4c6f-99de-5fb3e6fd10e7
> Status: Started
> Snapshot Count: 0
> Number of Bricks: 5 x 3 = 15
> Transport-type: tcp
> Bricks:
> Brick1: glustera:/bricks/brick-a1/brick
> Brick2: glusterb:/bricks/brick-b1/brick
> Brick3: glusterc:/bricks/brick-c1/brick
> Brick4: glustera:/bricks/brick-a2/brick
> Brick5: glusterb:/bricks/brick-b2/brick
> Brick6: glusterc:/bricks/brick-c2/brick
> Brick7: glustera:/bricks/brick-a3/brick
> Brick8: glusterb:/bricks/brick-b3/brick
> Brick9: glusterc:/bricks/brick-c3/brick
> Brick10: glustera:/bricks/brick-a4/brick
> Brick11: glusterb:/bricks/brick-b4/brick
> Brick12: glusterc:/bricks/brick-c4/brick
> Brick13: glustera:/bricks/brick-a5/brick
> Brick14: glusterb:/bricks/brick-b5/brick
> Brick15: glusterc:/bricks/brick-c5/brick
> Options Reconfigured:
> changelog.changelog: on
> geo-replication.ignore-pid-check: on
> geo-replication.indexing: on
> storage.fips-mode-rchecksum: on
> transport.address-family: inet
> nfs.disable: on
> performance.client-io-threads: off
> cluster.enable-shared-storage: enable
> 
> I'm attaching the audit log and sealert analysis from glustera (one
> of the 3 nodes consisting of the 'master' volume).
> 
> 
> Best Regards,
> Strahil Nikolov
>