Bug 1130675
Summary: | SELinux leads drbd.service to drbdadm: sh: modinfo: command not found | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 | CC: | lvrabec, mgrepl, mmalik, redhat-bugzilla, robert.scheck, sebastien.caps |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-30.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-19 06:01:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Scheck
2014-08-16 00:09:59 UTC
Above was with "setenforce 0", below was before with "setenforce 1": type=AVC msg=audit(1408130023.468:225): avc: denied { read } for pid=3465 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.468:225): arch=c000003e syscall=2 success=no exit=-13 a0=7f271e1add8a a1=80000 a2=1b6 a3=0 items=0 ppid=3464 pid=3465 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.469:226): avc: denied { getattr } for pid=3465 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.469:226): arch=c000003e syscall=4 success=no exit=-13 a0=23d3ce0 a1=7fffdaf907d0 a2=7fffdaf907d0 a3=12 items=0 ppid=3464 pid=3465 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.481:227): avc: denied { read } for pid=3466 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.481:227): arch=c000003e syscall=2 success=no exit=-13 a0=7ffe7c3e1d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3464 pid=3466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.482:228): avc: denied { getattr } for pid=3466 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.482:228): arch=c000003e syscall=4 success=no exit=-13 a0=96ece0 a1=7fffd5a675c0 a2=7fffd5a675c0 a3=12 items=0 ppid=3464 pid=3466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.492:229): avc: denied { read } for pid=3471 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.492:229): arch=c000003e syscall=2 success=no exit=-13 a0=7fcd9f2d1d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3469 pid=3471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.493:230): avc: denied { getattr } for pid=3471 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.493:230): arch=c000003e syscall=4 success=no exit=-13 a0=1f2dce0 a1=7fff7005e3b0 a2=7fff7005e3b0 a3=12 items=0 ppid=3469 pid=3471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.495:231): avc: denied { read } for pid=3472 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.495:231): arch=c000003e syscall=2 success=no exit=-13 a0=7f455f3acd8a a1=80000 a2=1b6 a3=0 items=0 ppid=3469 pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.496:232): avc: denied { getattr } for pid=3472 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.496:232): arch=c000003e syscall=4 success=no exit=-13 a0=1d6ece0 a1=7fffa34db560 a2=7fffa34db560 a3=12 items=0 ppid=3469 pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.503:233): avc: denied { read } for pid=3474 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.503:233): arch=c000003e syscall=2 success=no exit=-13 a0=7f82873aed8a a1=80000 a2=1b6 a3=0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.503:234): avc: denied { execute } for pid=3474 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.503:234): arch=c000003e syscall=59 success=no exit=-13 a0=1841bb0 a1=1841e10 a2=1840ef0 a3=7fff0239eac0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.503:235): avc: denied { getattr } for pid=3474 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.503:235): arch=c000003e syscall=4 success=no exit=-13 a0=1841bb0 a1=7fff0239ec50 a2=7fff0239ec50 a3=7fff0239eac0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.503:236): avc: denied { getattr } for pid=3474 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.503:236): arch=c000003e syscall=4 success=no exit=-13 a0=1841bb0 a1=7fff0239ec30 a2=7fff0239ec30 a3=7fff0239eac0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.506:237): avc: denied { read } for pid=3476 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.506:237): arch=c000003e syscall=2 success=no exit=-13 a0=7f0ed0806d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.506:238): avc: denied { execute } for pid=3476 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.506:238): arch=c000003e syscall=59 success=no exit=-13 a0=2565bb0 a1=2565e10 a2=2564ef0 a3=7fff7f8ee190 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.506:239): avc: denied { getattr } for pid=3476 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.506:239): arch=c000003e syscall=4 success=no exit=-13 a0=2565bb0 a1=7fff7f8ee320 a2=7fff7f8ee320 a3=7fff7f8ee190 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.506:240): avc: denied { getattr } for pid=3476 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.506:240): arch=c000003e syscall=4 success=no exit=-13 a0=2565bb0 a1=7fff7f8ee300 a2=7fff7f8ee300 a3=7fff7f8ee190 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.508:241): avc: denied { read } for pid=3478 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.508:241): arch=c000003e syscall=2 success=no exit=-13 a0=7f000e8c4d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.509:242): avc: denied { execute } for pid=3478 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.509:242): arch=c000003e syscall=59 success=no exit=-13 a0=82dbb0 a1=82de10 a2=82cef0 a3=7fffecb652e0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.509:243): avc: denied { getattr } for pid=3478 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.509:243): arch=c000003e syscall=4 success=no exit=-13 a0=82dbb0 a1=7fffecb65470 a2=7fffecb65470 a3=7fffecb652e0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.509:244): avc: denied { getattr } for pid=3478 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.509:244): arch=c000003e syscall=4 success=no exit=-13 a0=82dbb0 a1=7fffecb65450 a2=7fffecb65450 a3=7fffecb652e0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.511:245): avc: denied { read } for pid=3480 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.511:245): arch=c000003e syscall=2 success=no exit=-13 a0=7ff8e61d1d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.512:246): avc: denied { execute } for pid=3480 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.512:246): arch=c000003e syscall=59 success=no exit=-13 a0=1203bb0 a1=1203e10 a2=1202ef0 a3=7fffaad483b0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.512:247): avc: denied { getattr } for pid=3480 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.512:247): arch=c000003e syscall=4 success=no exit=-13 a0=1203bb0 a1=7fffaad48540 a2=7fffaad48540 a3=7fffaad483b0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) type=AVC msg=audit(1408130023.512:248): avc: denied { getattr } for pid=3480 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file type=SYSCALL msg=audit(1408130023.512:248): arch=c000003e syscall=4 success=no exit=-13 a0=1203bb0 a1=7fffaad48520 a2=7fffaad48520 a3=7fffaad483b0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null) Are there drbd scripts which cause these AVCs? Don't know if it's that what you are looking for? $ strings /usr/sbin/drbdadm | grep modinfo modinfo -F version drbd $ $ file /usr/sbin/drbdadm /usr/sbin/drbdadm: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x0d9dade372992ce025fb176b0891f13024fe7817, stripped $ commit e2e7de4c5defd0d42ad75b2f3b1c694109ecc59e Author: Miroslav Grepl <mgrepl> Date: Wed Nov 5 10:27:15 2014 +0100 Make drbd as nsswitch domain to make it working with sssd. Is selinux-policy-3.13.1-8.el7.noarch somewhere available for testing? Here are the latest policy RPMs: * http://people.redhat.com/dwalsh/SELinux/RHEL7/noarch/ Could you re-test your scenario? Thanks. commit b3ffafe59962de5eb494897a695a9670a3302ecb Author: Lukas Vrabec <lvrabec> Date: Tue Jun 30 15:28:18 2015 +0200 Allow drbd_t write to fixed_disk_device. Same issue like in #1134883 *** This bug has been marked as a duplicate of bug 1134883 *** |