Bug 1018306

Summary:	selinux policy causes pulse daemon not working properly
Product:	Red Hat Enterprise Linux 6	Reporter:	Jan Tluka <jtluka>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	6.5	CC:	dwalsh, eparis, jtluka, mgrepl, mmalik, tlavigne
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.7.19-225.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-11-21 10:53:08 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Jan Tluka 2013-10-11 16:12:17 UTC

Description of problem:

I installed recent rhel6.5 distro RHEL6.5-20131009.0 and configured LVS as described in https://bugzilla.redhat.com/show_bug.cgi?id=854454#c5

When I started pulse daemon it failed to initialize due to SELinux denials. The daemon started successfully when I set permissive mode of SELinux. I guess the policy should be updated to have daemon working properly.

I've set the bug severity to urgent since this is probably a regression and should be fixed before 6.5 gets released.

Version-Release number of selected component (if applicable):

[root@localhost ~]# rpm -qa selinux-policy
selinux-policy-3.7.19-222.el6.noarch
[root@localhost ~]# rpm -qa selinux-policy-targeted
selinux-policy-targeted-3.7.19-222.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1. setup lvs primary router in nat mode (I think the mode does not matter)
2. /sbin/service pulse start
3. observe denials in /var/log/audit/audit.log

Actual results:
avc denials and pulse cannot properly start

type=AVC msg=audit(1381506961.843:274): avc:  denied  { search } for  pid=9283 comm="pulse" name="/" dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1381506961.843:274): arch=c000003e syscall=2 success=no exit=-13 a0=7ffff8916190 a1=20002 a2=0 a3=7ffff8915f10 items=0 ppid=1 pid=9283 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null)
type=AVC msg=audit(1381506961.843:275): avc:  denied  { search } for  pid=9283 comm="pulse" name="/" dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1381506961.843:275): arch=c000003e syscall=87 success=no exit=-13 a0=7ffff8916230 a1=40dce0 a2=0 a3=7ffff8915fb0 items=0 ppid=1 pid=9283 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null)

Expected results:
pulse daemon starts succesfully

Additional info:

Comment 2 Miroslav Grepl 2013-10-14 09:17:37 UTC

This is a new issue from SELinux point of view in RHEL6.5.

We allow it in Fedora.

If you add a local policy, does it work then?

Comment 3 Jan Tluka 2013-10-15 13:41:52 UTC

Hi, so I tried to add a local policy that turned into a lot of rules required. Here are the policy modules I used that made pulse daemon started succesfully:

module selinux_pulse_bug-10 1.0;

require {
	type piranha_pulse_t;
	type piranha_lvs_t;
	class process sigkill;
}

#============= piranha_pulse_t ==============
allow piranha_pulse_t piranha_lvs_t:process sigkill;

module selinux_pulse_bug-11 1.0;

require {
	type tmpfs_t;
	type piranha_lvs_t;
	class filesystem getattr;
}

#============= piranha_lvs_t ==============
allow piranha_lvs_t tmpfs_t:filesystem getattr;

module selinux_pulse_bug-12 1.0;

require {
	type tmpfs_t;
	type piranha_lvs_t;
	class dir search;
}

#============= piranha_lvs_t ==============
allow piranha_lvs_t tmpfs_t:dir search;

module selinux_pulse_bug-13 1.0;

require {
	type tmpfs_t;
	type piranha_lvs_t;
	class file { read write };
}

#============= piranha_lvs_t ==============
allow piranha_lvs_t tmpfs_t:file { read write };

module selinux_pulse_bug-14 1.0;

require {
	type tmpfs_t;
	type piranha_lvs_t;
	class file open;
	class dir write;
}

#============= piranha_lvs_t ==============
#!!!! The source type 'piranha_lvs_t' can write to a 'dir' of the following types:
# piranha_lvs_var_run_t, var_run_t, root_t

allow piranha_lvs_t tmpfs_t:dir write;
allow piranha_lvs_t tmpfs_t:file open;

module selinux_pulse_bug-15 1.0;

require {
	type tmpfs_t;
	type piranha_lvs_t;
	class file getattr;
	class dir remove_name;
}

#============= piranha_lvs_t ==============
allow piranha_lvs_t tmpfs_t:dir remove_name;
allow piranha_lvs_t tmpfs_t:file getattr;

module selinux_pulse_bug-16 1.0;

require {
	type tmpfs_t;
	type piranha_lvs_t;
	class file unlink;
}

#============= piranha_lvs_t ==============
allow piranha_lvs_t tmpfs_t:file unlink;

module selinux_pulse_bug-2 1.0;

require {
	type tmpfs_t;
	type piranha_pulse_t;
	class dir write;
}

#============= piranha_pulse_t ==============
#!!!! The source type 'piranha_pulse_t' can write to a 'dir' of the following types:
# samba_var_t, piranha_pulse_var_run_t, var_run_t, root_t

allow piranha_pulse_t tmpfs_t:dir write;

module selinux_pulse_bug-3 1.0;

require {
	type tmpfs_t;
	type piranha_pulse_t;
	class dir add_name;
}

#============= piranha_pulse_t ==============
allow piranha_pulse_t tmpfs_t:dir add_name;

module selinux_pulse_bug-4 1.0;

require {
	type tmpfs_t;
	type piranha_pulse_t;
	class file create;
}

#============= piranha_pulse_t ==============
allow piranha_pulse_t tmpfs_t:file create;

module selinux_pulse_bug-5 1.0;

require {
	type tmpfs_t;
	type piranha_pulse_t;
	class file { read write open };
}

#============= piranha_pulse_t ==============
#!!!! The source type 'piranha_pulse_t' can write to a 'file' of the following types:
# samba_etc_t, samba_var_t, sysctl_rpc_t, piranha_pulse_var_run_t, root_t

allow piranha_pulse_t tmpfs_t:file { read write open };

module selinux_pulse_bug-6 1.0;

require {
	type tmpfs_t;
	type piranha_pulse_t;
	class dir remove_name;
}

#============= piranha_pulse_t ==============
allow piranha_pulse_t tmpfs_t:dir remove_name;

module selinux_pulse_bug-7 1.0;

require {
	type tmpfs_t;
	type piranha_pulse_t;
	class file unlink;
}

#============= piranha_pulse_t ==============
allow piranha_pulse_t tmpfs_t:file unlink;

module selinux_pulse_bug-8 1.0;

require {
	type tmpfs_t;
	type piranha_pulse_t;
	class file link;
}

#============= piranha_pulse_t ==============
allow piranha_pulse_t tmpfs_t:file link;

module selinux_pulse_bug-9 1.0;

require {
	type tmpfs_t;
	type piranha_pulse_t;
	class file getattr;
}

#============= piranha_pulse_t ==============
allow piranha_pulse_t tmpfs_t:file getattr;

module selinux_pulse_bug 1.0;

require {
	type tmpfs_t;
	type piranha_pulse_t;
	class dir search;
}

#============= piranha_pulse_t ==============
allow piranha_pulse_t tmpfs_t:dir search;

Comment 4 Miroslav Grepl 2013-10-15 13:54:56 UTC

Ok, now it is more complicated. Any idea who creates this tmpfs_t? Could you pls attach AVC msgs and also

# ps -eZ |grep initrc

Comment 5 Miroslav Grepl 2013-10-15 13:59:49 UTC

Actually I see it now. Could you test the following local policy


# cat mypol.te
require{
 attribute piranha_domain;
}

type piranha_pulse_tmpfs_t;
files_tmpfs_file(piranha_pulse_tmpfs_t)

manage_dirs_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t, piranha_pulse_tmpfs_t)
manage_files_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t, piranha_pulse_tmpfs_t)
fs_tmpfs_filetrans(piranha_pulse_t, piranha_pulse_tmpfs_t, { dir file })

manage_files_pattern(piranha_domain, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
manage_dirs_pattern(piranha_domain, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)


and 

# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp

and also remove your local policies.

Comment 6 Jan Tluka 2013-10-15 15:00:35 UTC

(In reply to Miroslav Grepl from comment #5)
> Actually I see it now. Could you test the following local policy
> 
> 
> # cat mypol.te
> require{
>  attribute piranha_domain;
> }
> 
> type piranha_pulse_tmpfs_t;
> files_tmpfs_file(piranha_pulse_tmpfs_t)
> 
> manage_dirs_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t,
> piranha_pulse_tmpfs_t)
> manage_files_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t,
> piranha_pulse_tmpfs_t)
> fs_tmpfs_filetrans(piranha_pulse_t, piranha_pulse_tmpfs_t, { dir file })
> 
> manage_files_pattern(piranha_domain,
> piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
> manage_dirs_pattern(piranha_domain,
> piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
> 
> 
> and 
> 
> # make -f /usr/share/selinux/devel/Makefile mypol.pp
> # semodule -i mypol.pp
> 
> and also remove your local policies.

Moved a bit but still I got some denials. I had to slightly modify the policy file you've provided:

# cat mypol.te 
policy_module(local, 0.0.1) <====

require {
 attribute piranha_domain;
 type piranha_pulse_t;      <====
}

type piranha_pulse_tmpfs_t;
files_tmpfs_file(piranha_pulse_tmpfs_t)

manage_dirs_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t, piranha_pulse_tmpfs_t)
manage_files_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t, piranha_pulse_tmpfs_t)
fs_tmpfs_filetrans(piranha_pulse_t, piranha_pulse_tmpfs_t, { dir file })

manage_files_pattern(piranha_domain, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
manage_dirs_pattern(piranha_domain, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)


The denials I see are following:

type=SYSCALL msg=audit(1381848896.993:98): arch=c000003e syscall=1 success=yes exit=7283063 a0=4 a1=7f42b209c000 a2=6f2177 a3=7fff4a9a99e0 items=0 ppid=2668 pid=2669 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381848930.471:99): avc:  denied  { getattr } for  pid=2705 comm="lvsd" name="/" dev=tmpfs ino=5298 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1381848930.471:99): arch=c000003e syscall=137 success=no exit=-13 a0=7f5cde5b7744 a1=7fff01ecd850 a2=1 a3=7fff01ecd3c0 items=0 ppid=2694 pid=2705 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null)
type=AVC msg=audit(1381848930.476:100): avc:  denied  { getattr } for  pid=2705 comm="lvsd" name="/" dev=tmpfs ino=5298 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1381848930.476:100): arch=c000003e syscall=137 success=no exit=-13 a0=7fff01ecd656 a1=7fff01ecd850 a2=7f5cde14c240 a3=3 items=0 ppid=2694 pid=2705 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null)
type=AVC msg=audit(1381848930.502:101): avc:  denied  { sigkill } for  pid=2694 comm="pulse" scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=unconfined_u:system_r:piranha_lvs_t:s0 tclass=process
type=SYSCALL msg=audit(1381848930.502:101): arch=c000003e syscall=62 success=no exit=-13 a0=a91 a1=9 a2=0 a3=7fffc9bb0ed0 items=0 ppid=1 pid=2694 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null)

Comment 7 Miroslav Grepl 2013-10-15 15:14:24 UTC

Much better. And if you allow these AVC msgs, does it work then?

Comment 8 Jan Tluka 2013-10-15 15:47:36 UTC

(In reply to Miroslav Grepl from comment #7)
> Much better. And if you allow these AVC msgs, does it work then?

I think this leads to the policies described in comment #3.

Allowing the AVCs in comment #6 leads to more:

type=AVC msg=audit(10/15/2013 17:36:51.145:18) : avc:  denied  { search } for  pid=1841 comm=lvsd name=/ dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir 
----
type=AVC msg=audit(10/15/2013 17:36:51.144:17) : avc:  denied  { search } for  pid=1841 comm=lvsd name=/ dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

Allowing these leads to following:

type=AVC msg=audit(10/15/2013 17:40:58.601:20) : avc:  denied  { write } for  pid=1894 comm=lvsd name=/ dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir 

Allowing this one produces:

type=AVC msg=audit(10/15/2013 17:43:10.482:22) : avc:  denied  { remove_name } for  pid=1972 comm=lvsd name=sem.lvs dev=tmpfs ino=20212 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

Once all of the above are allowed I see no further AVCs.

Comment 9 Miroslav Grepl 2013-10-15 16:11:55 UTC

Ok, thank you for testing.

Comment 12 Jan Tluka 2013-10-16 13:05:58 UTC

Still got some denials after upgrading to selinux-policy-3.7.19-225.el6

On pulse startup:

type=AVC msg=audit(1381925968.124:24): avc:  denied  { sigkill } for  pid=1278 comm="pulse" scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=unconfined_u:system_r:piranha_lvs_t:s0 tclass=process
type=SYSCALL msg=audit(1381925968.124:24): arch=c000003e syscall=62 success=no exit=-13 a0=505 a1=9 a2=0 a3=7fff46510d30 items=0 ppid=1 pid=1278 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null)

On getting back the mastership:

type=AVC msg=audit(1381926145.743:26): avc:  denied  { getattr } for  pid=1328 comm="lvsd" name="/" dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1381926145.743:26): arch=c000003e syscall=137 success=no exit=-13 a0=7ffff11d18c6 a1=7ffff11d1ac0 a2=7fa2cb2ef240 a3=3 items=0 ppid=1322 pid=1328 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null)

type=AVC msg=audit(1381926145.750:27): avc:  denied  { sigkill } for  pid=1322 comm="pulse" scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=unconfined_u:system_r:piranha_lvs_t:s0 tclass=process
type=SYSCALL msg=audit(1381926145.750:27): arch=c000003e syscall=62 success=no exit=-13 a0=530 a1=9 a2=0 a3=7fff673fb880 items=0 ppid=1 pid=1322 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null)

type=AVC msg=audit(1381926403.009:29): avc:  denied  { search } for  pid=1376 comm="lvsd" name="/" dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1381926403.009:29): arch=c000003e syscall=2 success=no exit=-13 a0=7fff2e66fb10 a1=20002 a2=0 a3=7fff2e66f890 items=0 ppid=1370 pid=1376 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null)

type=AVC msg=audit(1381927188.129:37): avc:  denied  { write } for  pid=1508 comm="lvsd" name="/" dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1381927188.129:37): arch=c000003e syscall=87 success=no exit=-13 a0=7fff0eb10bd0 a1=40b032 a2=0 a3=7fff0eb10950 items=0 ppid=1502 pid=1508 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null)

type=AVC msg=audit(1381927765.733:41): avc:  denied  { remove_name } for  pid=1936 comm="lvsd" name="sem.lvs" dev=tmpfs ino=26354 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1381927765.733:41): arch=c000003e syscall=87 success=no exit=-13 a0=7fff955504e0 a1=40b032 a2=0 a3=7fff95550260 items=0 ppid=1930 pid=1936 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null)


So the overall policy I came to is:

# cat mypol.te

module mypol 1.0;

require {
	type tmpfs_t;
	type piranha_lvs_t;
	type piranha_pulse_t;
	class process sigkill;
	class dir { write remove_name search };
	class filesystem getattr;
}

#============= piranha_lvs_t ==============
#!!!! The source type 'piranha_lvs_t' can write to a 'dir' of the following types:
# piranha_lvs_var_run_t, piranha_pulse_tmpfs_t, var_run_t, root_t

allow piranha_lvs_t tmpfs_t:dir { write remove_name search };
allow piranha_lvs_t tmpfs_t:filesystem getattr;

#============= piranha_pulse_t ==============
allow piranha_pulse_t piranha_lvs_t:process sigkill;

Comment 13 Miroslav Grepl 2013-10-16 13:19:19 UTC

I see

#============= piranha_lvs_t ==============

#!!!! This avc is allowed in the current policy
allow piranha_lvs_t tmpfs_t:dir { write remove_name search };

#!!!! This avc is allowed in the current policy
allow piranha_lvs_t tmpfs_t:filesystem getattr;

#============= piranha_pulse_t ==============

#!!!! This avc is allowed in the current policy
allow piranha_pulse_t piranha_lvs_t:process sigkill;

# rpm -qa selinux-policy-*
selinux-policy-minimum-3.7.19-225.el6.noarch
selinux-policy-mls-3.7.19-225.el6.noarch
selinux-policy-doc-3.7.19-218.el6.noarch
selinux-policy-targeted-3.7.19-225.el6.noarch

Comment 14 Jan Tluka 2013-10-16 13:35:41 UTC

I'm sorry for the confusion I made. My update of selinux-policy was not completely successful and conflicted with the previous one. After the correction the updated package solved the pulse daemon startup.

Tested on:
# rpm -qa selinux-\*
selinux-policy-3.7.19-225.el6.noarch
selinux-policy-targeted-3.7.19-225.el6.noarch

Setting to verified and removing FailedQA flag.

Comment 15 errata-xmlrpc 2013-11-21 10:53:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html