gluster / glusterfs-selinux Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v2.0
glusterfs-selinux's Introduction
glusterfs-selinux's People
Contributors
Stargazers
Watchers
Forkers
wrabcak rkothiya vmojzis schaffung zpytela lveyde 5umm3r15 tshacked shwetha-acharya huang96962 wonder93glusterfs-selinux's Issues
Gluster's Event Deamon is not allowed by SELINUX
Symptom:
glustereventsd[1312]: Failed to start Eventsd for IPv4: [Errno 13] Permission denied
Event's Daemon Config:
# cat /etc/glusterfs/eventsconfig.json
{
"log-level": "INFO",
"port": 24009,
"disable-events-log": false
}
AVC Denied:
type=AVC msg=audit(1641684058.017:1042): avc: denied { name_bind } for pid=5949 comm="glustereventsd" src=24009 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
type=AVC msg=audit(1641684806.621:83): avc: denied { name_bind } for pid=1312 comm="glustereventsd" src=24009 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
type=USER_MAC_CONFIG_CHANGE msg=audit(1641741688.121:828): pid=149221 uid=0 auid=0 ses=14 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=port op=add lport=24009 proto=17 tcontext=system_u:object_r:gluster_port_t:s0 comm="semanage" exe="/usr/libexec/platform-python3.6" hostname=? addr=? terminal=? res=success'�UID="root" AUID="root"
Workaround:
# semanage port -a -t gluster_port_t -p udp 24009
Installed package:
# rpm -q glusterfs-selinux
glusterfs-selinux-2.0.1-1.el8.noarch
Missing glusterd_selinux man page
Hello All,
it seems that CentOS selinux generic package does not include the gluster stuff, so we need to add glusterd_selinux (8) here.
what would be the best approach ?
Plan for inclusion in Fedora?
What is the plan to include this in Fedora? When there is a review filed for this package, please pint me to it.
For inclusion in the CentOS Storage SIG, there is a string preference to have the package reviewed and included in Fedora.
Verification of the rpm fails just after installation of glusterfs-selinux
Verification of the rpm fails just after installation, as shown below :
# rpm -V glusterfs-selinux
.M....... g /var/lib/selinux/targeted/active/modules/200/glusterd
# echo $?
1
#
Geo-replication session fails and bricks go to faulty state
Issue: The Geo-replication sessions go for a toss when we enforce selinux rules.
Detailed Description :
The Geo-replication session is set up under an environment wherein all the selinux rules are enforced. But it is seen that the bricks go to faulty with the gsyncd.log stating that the rsync is failing with error code 12.
On Digging deeper it seems that a fix was given in fedora upstream for handling the selinux rules for glusterd_t and rsync_t but that isn't part of the latest releases.
Also as it concerns glusterfs rpms, it should rather be part of glusterfs-selinux.
For reference the upstream patch in fedora community which solves the issue : Fedora-selinux-patch
Path mismatch for glustereventsd.py
The current path of the script file glustereventsd.py is /usr/libexec/glusterfs/gfevents/glustereventsd.py but the path mentioned in the glusterd.fc still points to the old path, this makes the process as unconfined when invoked.
Fails to build on Fedora32
While building an RPM from commit id 601f141, I get the following error.
$ make prep
$ make srcrpm
$ make rpms
rpmbuild --define '_topdir /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild' -bb rpmbuild/SPECS/glusterfs-selinux.spec
setting SOURCE_DATE_EPOCH=1588809600
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.z7DA4F
+ umask 022
+ cd /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD
+ cd /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD
+ rm -rf glusterfs-selinux-0.1.0
+ /usr/bin/gzip -dc /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/SOURCES/glusterfs-selinux-0.1.0.tar.gz
+ /usr/bin/tar -xof -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd glusterfs-selinux-0.1.0
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ RPM_EC=0
++ jobs -p
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.TXNhFG
+ umask 022
+ cd /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD
+ cd glusterfs-selinux-0.1.0
+ make -j2
make[1]: Entering directory '/home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD/glusterfs-selinux-0.1.0'
make -f /usr/share/selinux/devel/Makefile glusterd.pp
make[2]: Entering directory '/home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD/glusterfs-selinux-0.1.0'
make[2]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:15: Error: duplicate definition of glusterd_domtrans(). Original definition on 15.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:35: Error: duplicate definition of glusterd_initrc_domtrans(). Original definition on 35.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:54: Error: duplicate definition of glusterd_read_log(). Original definition on 72.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:73: Error: duplicate definition of glusterd_append_log(). Original definition on 91.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:92: Error: duplicate definition of glusterd_filetrans_named_pid(). Original definition on 110.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:109: Error: duplicate definition of glusterd_manage_pid(). Original definition on 127.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:129: Error: duplicate definition of glusterd_manage_log(). Original definition on 147.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:150: Error: duplicate definition of gluster_execute_lib(). Original definition on 168.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:170: Error: duplicate definition of glusterd_read_conf(). Original definition on 188.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:189: Error: duplicate definition of glusterd_dontaudit_read_lib_dirs(). Original definition on 207.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:207: Error: duplicate definition of glusterd_rw_lib(). Original definition on 225.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:226: Error: duplicate definition of glusterd_read_lib_files(). Original definition on 244.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:246: Error: duplicate definition of glusterd_manage_lib_files(). Original definition on 264.
/usr/share/selinux/devel/include/contrib/ipp-glusterd.if:273: Error: duplicate definition of glusterd_admin(). Original definition on 291.
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.
/usr/share/selinux/devel/include/services/container.if:60: Error: duplicate definition of container_runtime_exec(). Original definition on 60.
/usr/share/selinux/devel/include/services/container.if:79: Error: duplicate definition of container_read_state(). Original definition on 79.
/usr/share/selinux/devel/include/services/container.if:97: Error: duplicate definition of container_search_lib(). Original definition on 97.
/usr/share/selinux/devel/include/services/container.if:116: Error: duplicate definition of container_exec_lib(). Original definition on 116.
/usr/share/selinux/devel/include/services/container.if:135: Error: duplicate definition of container_read_lib_files(). Original definition on 135.
/usr/share/selinux/devel/include/services/container.if:154: Error: duplicate definition of container_read_share_files(). Original definition on 154.
/usr/share/selinux/devel/include/services/container.if:175: Error: duplicate definition of container_runtime_read_tmpfs_files(). Original definition on 175.
/usr/share/selinux/devel/include/services/container.if:196: Error: duplicate definition of container_manage_share_files(). Original definition on 196.
/usr/share/selinux/devel/include/services/container.if:217: Error: duplicate definition of container_manage_share_dirs(). Original definition on 217.
/usr/share/selinux/devel/include/services/container.if:237: Error: duplicate definition of container_exec_share_files(). Original definition on 237.
/usr/share/selinux/devel/include/services/container.if:255: Error: duplicate definition of container_manage_config_files(). Original definition on 255.
/usr/share/selinux/devel/include/services/container.if:274: Error: duplicate definition of container_manage_lib_files(). Original definition on 274.
/usr/share/selinux/devel/include/services/container.if:294: Error: duplicate definition of container_manage_files(). Original definition on 294.
/usr/share/selinux/devel/include/services/container.if:313: Error: duplicate definition of container_manage_dirs(). Original definition on 313.
/usr/share/selinux/devel/include/services/container.if:331: Error: duplicate definition of container_manage_lib_dirs(). Original definition on 331.
/usr/share/selinux/devel/include/services/container.if:367: Error: duplicate definition of container_lib_filetrans(). Original definition on 367.
/usr/share/selinux/devel/include/services/container.if:385: Error: duplicate definition of container_read_pid_files(). Original definition on 385.
/usr/share/selinux/devel/include/services/container.if:404: Error: duplicate definition of container_systemctl(). Original definition on 404.
/usr/share/selinux/devel/include/services/container.if:429: Error: duplicate definition of container_rw_sem(). Original definition on 429.
/usr/share/selinux/devel/include/services/container.if:448: Error: duplicate definition of container_append_file(). Original definition on 448.
/usr/share/selinux/devel/include/services/container.if:466: Error: duplicate definition of container_use_ptys(). Original definition on 466.
/usr/share/selinux/devel/include/services/container.if:484: Error: duplicate definition of container_filetrans_named_content(). Original definition on 484.
/usr/share/selinux/devel/include/services/container.if:543: Error: duplicate definition of container_stream_connect(). Original definition on 543.
/usr/share/selinux/devel/include/services/container.if:564: Error: duplicate definition of container_spc_stream_connect(). Original definition on 564.
/usr/share/selinux/devel/include/services/container.if:585: Error: duplicate definition of container_admin(). Original definition on 585.
/usr/share/selinux/devel/include/services/container.if:632: Error: duplicate definition of container_auth_domtrans(). Original definition on 632.
/usr/share/selinux/devel/include/services/container.if:651: Error: duplicate definition of container_auth_exec(). Original definition on 651.
/usr/share/selinux/devel/include/services/container.if:670: Error: duplicate definition of container_auth_stream_connect(). Original definition on 670.
/usr/share/selinux/devel/include/services/container.if:689: Error: duplicate definition of container_runtime_typebounds(). Original definition on 689.
/usr/share/selinux/devel/include/services/container.if:708: Error: duplicate definition of container_runtime_entrypoint(). Original definition on 708.
/usr/share/selinux/devel/include/services/container.if:715: Error: duplicate definition of docker_exec_lib(). Original definition on 715.
/usr/share/selinux/devel/include/services/container.if:719: Error: duplicate definition of docker_read_share_files(). Original definition on 719.
/usr/share/selinux/devel/include/services/container.if:723: Error: duplicate definition of docker_exec_share_files(). Original definition on 723.
/usr/share/selinux/devel/include/services/container.if:727: Error: duplicate definition of docker_manage_lib_files(). Original definition on 727.
/usr/share/selinux/devel/include/services/container.if:732: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 732.
/usr/share/selinux/devel/include/services/container.if:736: Error: duplicate definition of docker_lib_filetrans(). Original definition on 736.
/usr/share/selinux/devel/include/services/container.if:740: Error: duplicate definition of docker_read_pid_files(). Original definition on 740.
/usr/share/selinux/devel/include/services/container.if:744: Error: duplicate definition of docker_systemctl(). Original definition on 744.
/usr/share/selinux/devel/include/services/container.if:748: Error: duplicate definition of docker_use_ptys(). Original definition on 748.
/usr/share/selinux/devel/include/services/container.if:752: Error: duplicate definition of docker_stream_connect(). Original definition on 752.
/usr/share/selinux/devel/include/services/container.if:756: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 756.
/usr/share/selinux/devel/include/services/container.if:770: Error: duplicate definition of container_spc_read_state(). Original definition on 770.
/usr/share/selinux/devel/include/services/container.if:789: Error: duplicate definition of container_runtime_domain_template(). Original definition on 789.
/usr/share/selinux/devel/include/services/container.if:825: Error: duplicate definition of container_domain_template(). Original definition on 825.
/usr/share/selinux/devel/include/services/container.if:853: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 853.
glusterd.if:15: Error: duplicate definition of glusterd_domtrans(). Original definition on 15.
glusterd.if:35: Error: duplicate definition of glusterd_initrc_domtrans(). Original definition on 35.
glusterd.if:54: Error: duplicate definition of glusterd_read_log(). Original definition on 72.
glusterd.if:73: Error: duplicate definition of glusterd_append_log(). Original definition on 91.
glusterd.if:92: Error: duplicate definition of glusterd_filetrans_named_pid(). Original definition on 110.
glusterd.if:109: Error: duplicate definition of glusterd_manage_pid(). Original definition on 127.
glusterd.if:129: Error: duplicate definition of glusterd_manage_log(). Original definition on 147.
glusterd.if:150: Error: duplicate definition of gluster_execute_lib(). Original definition on 168.
glusterd.if:170: Error: duplicate definition of glusterd_read_conf(). Original definition on 188.
glusterd.if:189: Error: duplicate definition of glusterd_dontaudit_read_lib_dirs(). Original definition on 207.
glusterd.if:207: Error: duplicate definition of glusterd_rw_lib(). Original definition on 225.
glusterd.if:226: Error: duplicate definition of glusterd_read_lib_files(). Original definition on 244.
glusterd.if:246: Error: duplicate definition of glusterd_manage_lib_files(). Original definition on 264.
glusterd.if:273: Error: duplicate definition of glusterd_admin(). Original definition on 291.
Compiling targeted glusterd module
Creating targeted glusterd.pp policy package
rm tmp/glusterd.mod tmp/glusterd.mod.fc
make[2]: Leaving directory '/home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD/glusterfs-selinux-0.1.0'
Compressing glusterd.pp -> glusterd.pp.bz2
bzip2 -9 glusterd.pp
make[1]: Leaving directory '/home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD/glusterfs-selinux-0.1.0'
+ RPM_EC=0
++ jobs -p
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.bpCtdF
+ umask 022
+ cd /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD
+ '[' /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64 '!=' / ']'
+ rm -rf /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64
++ dirname /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64
+ mkdir -p /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT
+ mkdir /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64
+ cd glusterfs-selinux-0.1.0
+ /usr/bin/make install DESTDIR=/home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64 'INSTALL=/usr/bin/install -p'
make[1]: Entering directory '/home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD/glusterfs-selinux-0.1.0'
install -D -m 644 glusterd.pp.bz2 /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64/usr/share/selinux/packages/targeted/glusterd.pp.bz2
make[1]: Leaving directory '/home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD/glusterfs-selinux-0.1.0'
+ /usr/lib/rpm/find-debuginfo.sh -j2 --strict-build-id -m -i --build-id-seed 0.1.0-3.fc32 --unique-debug-suffix -0.1.0-3.fc32.x86_64 --unique-debug-src-base glusterfs-selinux-0.1.0-3.fc32.x86_64 --run-dwz --dwz-low-mem-die-limit 10000000 --dwz-max-die-limit 110000000 -S debugsourcefiles.list /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD/glusterfs-selinux-0.1.0
+ /usr/lib/rpm/check-buildroot
+ /usr/lib/rpm/redhat/brp-ldconfig
+ /usr/lib/rpm/brp-compress
+ /usr/lib/rpm/brp-strip-static-archive /usr/bin/strip
+ /usr/lib/rpm/redhat/brp-python-bytecompile /usr/bin/python 1 0
+ /usr/lib/rpm/brp-python-hardlink
+ /usr/lib/rpm/redhat/brp-mangle-shebangs
Processing files: glusterfs-selinux-0.1.0-3.fc32.noarch
Executing(%license): /bin/sh -e /var/tmp/rpm-tmp.AlZt3G
+ umask 022
+ cd /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILD
+ cd glusterfs-selinux-0.1.0
+ LICENSEDIR=/home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64/usr/share/licenses/glusterfs-selinux
+ export LC_ALL=C
+ LC_ALL=C
+ export LICENSEDIR
+ /usr/bin/mkdir -p /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64/usr/share/licenses/glusterfs-selinux
+ cp -pr COPYING /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64/usr/share/licenses/glusterfs-selinux
cp: cannot stat 'COPYING': No such file or directory
+ :
+ RPM_EC=0
++ jobs -p
+ exit 0
error: File not found: /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64/usr/share/licenses/glusterfs-selinux/COPYING
RPM build errors:
File not found: /home/rinku/Code/upstream-glusterfs-selinux/glusterfs-selinux/rpmbuild/BUILDROOT/glusterfs-selinux-0.1.0-3.fc32.x86_64/usr/share/licenses/glusterfs-selinux/COPYING
make: *** [Makefile:77: rpms] Error 1
Fails to build on CentOS-7
While building an RPM from the v0.1.0 tag, I get the following error:
make -f /usr/share/selinux/devel/Makefile glusterd.pp
make[1]: Entering directory `/builddir/build/BUILD/glusterfs-selinux-0.1.0'
make[1]: warning: jobserver unavailable: using -j1. Add `+' to parent make rule.
glusterd.if:15: Error: duplicate definition of glusterd_domtrans(). Original definition on 15.
glusterd.if:35: Error: duplicate definition of glusterd_initrc_domtrans(). Original definition on 35.
glusterd.if:54: Error: duplicate definition of glusterd_read_log(). Original definition on 54.
glusterd.if:73: Error: duplicate definition of glusterd_append_log(). Original definition on 73.
glusterd.if:92: Error: duplicate definition of glusterd_filetrans_named_pid(). Original definition on 92.
glusterd.if:109: Error: duplicate definition of glusterd_manage_pid(). Original definition on 109.
glusterd.if:129: Error: duplicate definition of glusterd_manage_log(). Original definition on 129.
glusterd.if:150: Error: duplicate definition of gluster_execute_lib(). Original definition on 150.
glusterd.if:170: Error: duplicate definition of glusterd_read_conf(). Original definition on 170.
glusterd.if:189: Error: duplicate definition of glusterd_dontaudit_read_lib_dirs(). Original definition on 189.
glusterd.if:207: Error: duplicate definition of glusterd_rw_lib(). Original definition on 207.
glusterd.if:226: Error: duplicate definition of glusterd_read_lib_files(). Original definition on 226.
glusterd.if:246: Error: duplicate definition of glusterd_manage_lib_files(). Original definition on 246.
glusterd.if:273: Error: duplicate definition of glusterd_admin(). Original definition on 273.
Compiling targeted glusterd module
/usr/bin/checkmodule: loading policy configuration from tmp/glusterd.tmp
glusterd.te:258:ERROR 'syntax error' at token 'automount_write_pipes' on line 10170:
automount_write_pipes(glusterd_t)
#line 258
/usr/bin/checkmodule: error(s) encountered while parsing configuration
This happens when using the .spec from from @rkothiya at https://github.com/rkothiya/rpm/blob/main/glusterfs-selinux.spec
Changing the default branch
The current branch is master. Proposing to change it to main with Conscious language changes in mind.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.