Bug 1211697

Summary: [Sanlock][RHEL7.0] Sanlock's attempts to read metadata from vdsm's block storage get denied by selinux
Product: Red Hat Enterprise Linux 7 Reporter: Ori Gofen <ogofen>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.3CC: acanan, amureini, bmcclain, gklein, jkurik, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, ylavi
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard: sanlock
Fixed In Version: selinux-policy-3.13.1-33.el7.noarch Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1211965 (view as bug list) Environment:
Last Closed: 2015-11-19 10:31:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1211965    
Attachments:
Description Flags
logs none

Description Ori Gofen 2015-04-14 15:52:27 UTC 
Created attachment 1014417 [details]
logs

Description of problem:

Sanlock constantly get denied from reading data on block storage domains which are based on rhel7.0 hosts, because of a false link file denial:


found 1 alert in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/sanlock from read access on the lnk_file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sanlock should be allowed read access on the  lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sanlock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sanlock_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                 [ lnk_file ]
Source                        sanlock
Source Path                   /usr/sbin/sanlock
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           sanlock-3.1.0-2.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.12.1-153.el7.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     purple-vds3.qa.lab.tlv.redhat.com
Platform                      Linux purple-vds3.qa.lab.tlv.redhat.com
                              3.10.0-123.el7.x86_64 #1 SMP Mon May 5 11:16:57
                              EDT 2014 x86_64 x86_64
Alert Count                   5
First Seen                    2015-04-14 16:25:52 IDT
Last Seen                     2015-04-14 16:28:46 IDT
Local ID                      1347ce97-a9bd-488f-bebc-d601ebe57670

Raw Audit Messages
type=AVC msg=audit(1429018126.571:4871): avc:  denied  { read } for  pid=14833 comm="sanlock" name="253:36" dev="sysfs" ino=24553 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1429018126.571:4871): arch=x86_64 syscall=open success=no exit=EACCES a0=7fda178518b0 a1=80000 a2=16 a3=0 items=0 ppid=1 pid=14833 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)

Hash: sanlock,sanlock_t,sysfs_t,lnk_file,read

see also sanlock.log errors:
2015-04-14 16:49:20+0300 12509 [13843]: s35 renewal error -5 delta_length 0 last_success 12477
2015-04-14 16:49:21+0300 12509 [14833]: 9afbb82a aio collect 0 0x7fda000008c0:0x7fda000008d0:0x7fda14043000 result -5:0 match res
2015-04-14 16:49:21+0300 12509 [14833]: s37 delta_renew read rv -5 offset 0 /dev/9afbb82a-15bf-4a9d-9cf7-1a505f574d8c/ids
2015-04-14 16:49:21+0300 12509 [14833]: s37 renewal error -5 delta_length 0 last_success 12486
2015-04-14 16:49:21+0300 12510 [14833]: 9afbb82a aio collect 0 0x7fda000008c0:0x7fda000008d0:0x7fda14043000 result -5:0 match res
2015-04-14 16:49:21+0300 12510 [14833]: s37 delta_renew read rv -5 offset 0 /dev/9afbb82a-15bf-4a9d-9cf7-1a505f574d8c/ids
2015-04-14 16:49:21+0300 12510 [14833]: s37 renewal error -5 delta_length 0 last_success 12486

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-153.el7.3.noarch

How reproducible:
100%

Steps to Reproduce:
- add a rhel7.0 to a datacenter with block storage
- or activate a block domain on a cluster which a rhel7.0 host is the SPM


Actual results:
Sanlock can't read metadata from domains which affects sanlock's  behavior(offset, lock, etc)

Expected results:
Selinux shouldn't prevent sanlock from reaching the metadata

Additional info:
does not reproduce on rhel7.1 hypervisors!
Comment 3 Milos Malik 2015-04-15 06:52:47 UTC 
This bug is fixed in RHEL-7.1. Do you want to propose this bug for 7.0.z?
Comment 4 Ori Gofen 2015-04-15 09:45:48 UTC 
(In reply to Milos Malik from comment #3)
> This bug is fixed in RHEL-7.1. Do you want to propose this bug for 7.0.z?

Yes please, it is also a very important back-port, the consequences of this bug is failing to use storage domains, let's say you have some hosts on a dc with rhel 7.1 that can use the domains, and some hosts with rhel 7.0.z  that cannot, the rhel 7.0.z hosts will eventually become non-operational over a period of time.
Comment 5 Milos Malik 2015-04-16 07:13:21 UTC 
I'm nor able propose the bug for RHEL-7.0.z. Please ask you PM to do that.
Comment 7 Allon Mureinik 2015-04-19 16:29:28 UTC 
(In reply to Milos Malik from comment #3)
> This bug is fixed in RHEL-7.1. 
Milos, can you please add a reference to the RHEL 7.1 bug and the build that fixes it?
Thanks!
Comment 8 Milos Malik 2015-04-20 05:56:45 UTC 
Here is the RHEL-7.1 bug: BZ#1152538.
Comment 9 Allon Mureinik 2015-04-20 10:51:12 UTC 
Awesome, thanks Milos!

Returning the needinfo on Bronce for the request in comment 6.
Comment 16 Lukas Vrabec 2015-08-04 14:51:45 UTC 
# audit2allow -i avc 


#============= sanlock_t ==============

#!!!! This avc is allowed in the current policy
allow sanlock_t sysfs_t:lnk_file read;

# rpm -q selinux-policy
selinux-policy-3.13.1-33.el7.noarch
Comment 20 errata-xmlrpc 2015-11-19 10:31:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html