Bug 1152538

Summary: sanlock is not allowed to read from sysfs
Product: Red Hat Enterprise Linux 7 Reporter: Nir Soffer <nsoffer>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: mmalik, nsoffer, redhat
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:45:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit log file none

Description Nir Soffer 2014-10-14 11:37:45 UTC 
Created attachment 946847 [details]
audit log file

Description of problem:

We see many of these AVCs in audit.log for sanlock:

type=AVC msg=audit(1413282791.805:9874): avc:  denied  { read } for  pid=7227 comm="sanlock" name="253:165" dev="sysfs" ino=28352 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1413282791.805:9874): arch=c000003e syscall=2 success=no exit=-13 a0=7f2f377fb940 a1=80000 a2=17 a3=0 items=0 ppid=1 pid=7227 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm="sanlock" exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)

Looks like sanlock is trying to read from /dev/dm-165:
[root@voodoo6 bz1142454]# ls -Z /dev/dm-165
brw-rw----. vdsm sanlock system_u:object_r:fixed_disk_device_t:s0 /dev/dm-165

Which is snalock leases volume:
[root@voodoo6 bz1142454]# lsblk | grep 253:165
  ├─ff559f46--c495--4f6b--901c--2a624042a050-leases                                   253:165  0    2G  0 lvm   

In the attached log, there are 1426 instances of this error.

I don't know what is the consequences of this denial. It is also
troubling that we don't see these error in sanlock log. I will open
a separate sanlock bug for this.

Version-Release number of selected component (if applicable):
# rpm -q selinux-policy selinux-policy-targeted sanlock
selinux-policy-3.12.1-153.el7_0.12.noarch
selinux-policy-targeted-3.12.1-153.el7_0.12.noarch
sanlock-3.1.0-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Block access to the storage server where sanlock leases volumes is
   Added this rule to /etc/sysconfig/iptables
   -A OUTPUT -p tcp -d 10.35.0.98 -j DROP

Expecting that any sanlock operation in the current sanlock
code is allowed.
Comment 2 Miroslav Grepl 2014-10-14 12:07:43 UTC 
Are you getting more AVCs in permissive mode?
Comment 3 Nir Soffer 2014-10-22 16:14:29 UTC 
Miroslav,

- Do you still need info on permissive mode?
- Do we have a build for testing this fix?
Comment 8 errata-xmlrpc 2015-03-05 10:45:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html