Bug 1215632

Summary: [SELinux] [RHGS] Update the labelling for all the executable hooks under /var/lib/glusterd/hooks/ on RHEL-6.7
Product: Red Hat Enterprise Linux 6 Reporter: Prasanth <pprakash>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.6CC: annair, asengupt, asrivast, dwalsh, jherrman, lvrabec, mgrepl, mmalik, nlevinki, nsathyan, plautrba, pprakash, pvrabec, rcyriac, rhs-bugs, sbhaloth, sgraf, ssekidde, tlavigne, vagarwal
Target Milestone: pre-dev-freeze   
Target Release: 6.6   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, SELinux was unintentionally preventing the Bash shell from executing various hook scripts in the /var/lib/glusterd/hooks/ directory. SELinux policy rules have been adjusted to allow for correct handling of various gluster-related services, such as smb, nmb, or ctdb. As a result, the affected hook scripts can now be executed properly.
Story Points: ---
Clone Of:
: 1232692 (view as bug list) Environment:
Last Closed: 2015-07-22 07:13:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1212796, 1215637, 1216941, 1232692    

Description Prasanth 2015-04-27 11:09:12 UTC
Description of problem:

SELinux is preventing /bin/bash from execute access on the file /usr/sbin/smbd.

See AVC messages from /var/log/audit/audit.log below:

######
type=AVC msg=audit(1429776701.631:1186): avc:  denied  { execute } for  pid=9815 comm="S30samba-stop.s" name="smbd" dev=dm-0 ino=152897 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=
system_u:object_r:smbd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1429776701.631:1186): arch=c000003e syscall=21 success=yes exit=0 a0=fe9ae0 a1=1 a2=0 a3=f items=0 ppid=9814 pid=9815 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 s
gid=0 fsgid=0 tty=(none) ses=2 comm="S30samba-stop.s" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1429776701.633:1187): avc:  denied  { execute_no_trans } for  pid=9815 comm="S30samba-stop.s" path="/usr/sbin/smbd" dev=dm-0 ino=152897 scontext=unconfined_u:system_r:glus
terd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1429776701.633:1187): arch=c000003e syscall=59 success=yes exit=0 a0=fe9ae0 a1=fe85f0 a2=fe8160 a3=18 items=0 ppid=9814 pid=9815 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid
=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1429776701.947:1188): avc:  denied  { create } for  pid=9837 comm="sed" name="sedwkoNGp" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:samba_etc_
t:s0 tclass=file
type=SYSCALL msg=audit(1429776701.947:1188): arch=c000003e syscall=2 success=yes exit=4 a0=1714730 a1=c2 a2=180 a3=0 items=0 ppid=9812 pid=9837 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=
0 sgid=0 fsgid=0 tty=(none) ses=2 comm="sed" exe="/bin/sed" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1429776701.954:1189): avc:  denied  { signal } for  pid=9812 comm="S30samba-stop.s" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:smbd_t:s0 tclass=process
######

#####
Apr 23 13:41:43 dhcp42-72 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /usr/sbin/smbd. For complete SELinux messages. run sealert -l 38fa77cc-b191-46a7-834e-f944ffa62fb8
Apr 23 13:41:43 dhcp42-72 setroubleshoot: SELinux is preventing /usr/sbin/smbd from execute_no_trans access on the file /usr/sbin/smbd. For complete SELinux messages. run sealert -l d25244eb-84eb-45c8-ad61-081e42a1dcda
#####


Version-Release number of selected component (if applicable):
#####
glusterfs-fuse-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-cli-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-server-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-libs-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-api-3.7dev-0.1009.git8b987be.el6.x86_64
samba-vfs-glusterfs-4.1.17-4.el6rhs.x86_64
#####

How reproducible: Always


Steps to Reproduce:
1. Install the RHEL6 glusterfs 3.7 nightly builds from http://download.gluster.org/pub/gluster/glusterfs/nightly/glusterfs-3.7/epel-6-x86_64/
2. Create a volume and start it
3. Check for the AVC's in /var/log/audit/audit.log
.

Actual results: Above mentioned AVC is seen in the logs.


Expected results: If you believe that bash should be allowed execute access on the smbd file by default, please consider fixing it.

Comment 1 Miroslav Grepl 2015-05-19 12:28:02 UTC
Could you tell us more about

type=AVC msg=audit(1429776701.947:1188): avc:  denied  { create } for  pid=9837 comm="sed" name="sedwkoNGp" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:samba_etc_
t:s0 tclass=file

Comment 2 Prasanth 2015-06-16 12:53:38 UTC
(In reply to Miroslav Grepl from comment #1)
> Could you tell us more about
> 
> type=AVC msg=audit(1429776701.947:1188): avc:  denied  { create } for 
> pid=9837 comm="sed" name="sedwkoNGp"
> scontext=unconfined_u:system_r:glusterd_t:s0
> tcontext=system_u:object_r:samba_etc_
> t:s0 tclass=file

I'm not seeing the above AVC anymore in the latest selinux-policy build, but could see the following:

####
[root@dhcp43-33 audit]# rpm -qa |grep selinux
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
libselinux-python-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-276.el6.noarch
selinux-policy-targeted-3.7.19-276.el6.noarch


[root@dhcp43-33 audit]# grep "AVC" audit.log
type=AVC msg=audit(1434458009.234:5445): avc:  denied  { execute } for  pid=19031 comm="glusterd" name="S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1434458016.776:5446): avc:  denied  { getattr } for  pid=19092 comm="S29CTDBsetup.sh" path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
type=AVC msg=audit(1434458016.793:5447): avc:  denied  { getattr } for  pid=19100 comm="S30samba-start." path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
####

-----
[root@dhcp43-33 audit]# cat audit.log |audit2allow

#============= glusterd_t ==============
allow glusterd_t auditd_log_t:dir getattr;
allow glusterd_t glusterd_var_lib_t:file execute;
-----

Do you know if this is also part of the fixes that are going to land in the next build or is it something new?

Comment 3 Miroslav Grepl 2015-06-17 07:35:16 UTC
type=AVC msg=audit(1434458009.234:5445): avc:  denied  { execute } for  pid=19031 comm="glusterd" name="S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file


This is a new issue. So we have another executables in /var/lib/gluster. What are you getting in permissive mode?

Comment 4 Prasanth 2015-06-17 08:02:21 UTC
In Permissive mode, I'm seeing the following after create/start/delete of a gluster volume:

#########
[root@dhcp43-33 audit]# getenforce 
Permissive

type=AVC msg=audit(1434526391.609:6307): avc:  denied  { getattr } for  pid=23170 comm="S29CTDBsetup.sh" path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
type=AVC msg=audit(1434526436.236:6308): avc:  denied  { getattr } for  pid=23250 comm="S29CTDB-teardow" path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
type=AVC msg=audit(1434526442.032:6309): avc:  denied  { execute } for  pid=23298 comm="glusterd" name="S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1434526442.032:6309): avc:  denied  { execute_no_trans } for  pid=23298 comm="glusterd" path="/var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
#########


Yes, we have some new another executables in /var/lib/glusterd/hooks. See below:

#############
[root@dhcp43-33 1]# pwd
/var/lib/glusterd/hooks/1	

[root@dhcp43-33 1]# ls  -alZ ./*/*
./add-brick/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       disabled-quota-root-xattr-heal.sh

./add-brick/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       S28Quota-enable-root-xattr-heal.sh

./copy-file/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./copy-file/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./create/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./create/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./delete/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.py
-rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyc
-rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyo

./delete/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./gsync-create/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./gsync-create/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./remove-brick/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./remove-brick/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./reset/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       S31ganesha-reset.sh

./reset/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./set/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       S30samba-set.sh
-rwxr--r--. root root system_u:object_r:bin_t:s0       S31ganesha-set.sh
-rwxr--r--. root root system_u:object_r:bin_t:s0       S32gluster_enable_shared_storage.sh

./set/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./start/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       S29CTDBsetup.sh
-rwxr--r--. root root system_u:object_r:bin_t:s0       S30samba-start.sh

./start/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./stop/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./stop/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       S29CTDB-teardown.sh
-rwxr--r--. root root system_u:object_r:bin_t:s0       S30samba-stop.sh
#############

Is it possible to fix everything under this directory "/var/lib/glusterd/hooks" for any existing and new executables so that we don't come across these AVC's again in future?

Comment 5 Miroslav Grepl 2015-06-17 08:11:18 UTC
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 835302a..0550ea4 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -396,6 +396,7 @@ ifdef(`distro_suse', `
 /var/qmail/rc                  --      gen_context(system_u:object_r:bin_t,s0)
 
 /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)

Comment 6 Miroslav Grepl 2015-06-17 08:12:47 UTC
It could be enough. The point is there can be located a file which is writable and some more general labeling like

/var/lib/glusterd/hooks(/.*)? -- gen_context(system_u:object_r:bin_t,s0)

could be wrong. But if you tell us there will be located only executables shipped by cluster I will add this general labeling.

Comment 7 Prasanth 2015-06-17 08:28:44 UTC
(In reply to Miroslav Grepl from comment #6)
> It could be enough. The point is there can be located a file which is
> writable and some more general labeling like
> 
> /var/lib/glusterd/hooks(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
> 
> could be wrong. But if you tell us there will be located only executables
> shipped by cluster I will add this general labeling.

AFAIK, by default, this directory contains only the executables that are shipped by the gluster packages. But I believe it's designed in such a way that any admin can add executables later to this location as well, based on their requirement. But I would like to get it confirmed here by the concerned devel member so that you can add the appropriate labelling. 

Avra, could you please check Comment 6 and provide your comments?

Comment 8 Avra Sengupta 2015-06-17 08:39:51 UTC
/var/lib/glusterd/hooks contains hook scripts, which are scripts shipped along with gluster. These scripts can be modified by the admin, and the admin can add new scripts in this location as well.

I hope this information is enough to add the appropriate labelling. Please let me know if any other info is needed.

Comment 9 Miroslav Grepl 2015-06-17 09:02:22 UTC
The point is  if

/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)

or we want to add 

/var/lib/glusterd/hooks(/.*)? gen_context(system_u:object_r:bin_t,s0)

to be sure we cover all executables here.

Comment 10 Avra Sengupta 2015-06-17 09:32:06 UTC
Currently we have only bash scripts in /var/lib/glusterd/hooks/. So right now we should stick to only 

/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)

and not give the farm away by allowing everything.

Comment 11 Prasanth 2015-06-17 09:40:29 UTC
(In reply to Avra Sengupta from comment #10)
> Currently we have only bash scripts in /var/lib/glusterd/hooks/. So right
> now we should stick to only 
> 
> /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
> 
> and not give the farm away by allowing everything.

Avra, I don't think this is true anymore as I do see a python script included in the hooks directory. See below:

########
[root@dhcp43-33 1]# pwd
/var/lib/glusterd/hooks/1	

./delete/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.py
-rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyc
-rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyo
########

Could you please check and confirm?

Comment 12 Avra Sengupta 2015-06-17 09:42:15 UTC
Sorry my bad. We can have the following in that case

/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)

Comment 15 errata-xmlrpc 2015-07-22 07:13:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html