Bug 1151555

Summary: corosync running in wrong context
Product: Red Hat Enterprise Linux 7 Reporter: Nate Straz <nstraz>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: cluster-qe, dapospis, mmalik
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:45:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nate Straz 2014-10-10 16:46:18 UTC 
Description of problem:

When running a cluster with selinux-policy-3.12.1-153.el7_0.10.noarch, corosync is running in the wrong context, unconfined_service_t.

[root@virt-087 ~]# ps -ZC corosync
LABEL                             PID TTY          TIME CMD
system_u:system_r:unconfined_service_t:s0 15278 ? 00:00:05 corosync


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-153.el7_0.10.noarch

How reproducible:
Easily


Steps to Reproduce:
1. Upgrade to selinux-policy-3.12.1-153.el7_0.10.noarch
2.
3.

Actual results:


Expected results:

[root@host-028 ~]# rpm -q selinux-policy
selinux-policy-3.12.1-153.el7_0.10.noarch
[root@host-028 ~]# ps -ZC corosync
LABEL                             PID TTY          TIME CMD
system_u:system_r:cluster_t:s0   1010 ?        00:01:01 corosync



Additional info:
Comment 1 Nate Straz 2014-10-10 16:47:58 UTC 
Oops, the affected version is selinux-policy-3.13.1-4.el7.noarch
Comment 3 Milos Malik 2014-10-10 21:13:26 UTC 
Hopefully, my analysis is correct:

# grep -i exec /lib/systemd/system/corosync.service 
ExecStart=/usr/share/corosync/corosync start
ExecStop=/usr/share/corosync/corosync stop
#ExecStartPre=/sbin/modprobe softdog soft_margin=60

The systemd unit file does not execute /usr/sbin/corosync directly, but through another script:

# matchpathcon /usr/share/corosync/corosync
/usr/share/corosync/corosync	system_u:object_r:usr_t:s0

And here comes the default behavior introduced by policy >= 3.13:

# sesearch -s init_t -t usr_t -c process -T
Found 1 semantic te rules:
   type_transition init_t usr_t : process unconfined_service_t; 

# sesearch -s init_t -t bin_t -c process -T
Found 1 semantic te rules:
   type_transition init_t bin_t : process unconfined_service_t; 

#

Once the /usr/share/corosync/corosync file is executed, the process does a transition into unconfined_service_t and the only way how to leave this context is following:

# sesearch -s unconfined_service_t -c process -T
Found 1 semantic te rules:
   type_transition unconfined_service_t abrt_helper_exec_t : process abrt_helper_t; 

#

This is of course unpleasant behavior, because services / daemons / agents which are already confined should not end up running as unconfined_service_t.
Comment 4 Miroslav Grepl 2014-10-13 09:08:50 UTC 
The problem is they don't tell us that they change a path to executable.commit 

934b567837f2b089db76f440d90b48f01824086b
Author: Miroslav Grepl <mgrepl>
Date:   Mon Oct 13 11:07:57 2014 +0200

    Label /usr/share/corosync/corosync as cluster_exec_t.
Comment 8 errata-xmlrpc 2015-03-05 10:45:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html