Bug 1215632
Summary: | [SELinux] [RHGS] Update the labelling for all the executable hooks under /var/lib/glusterd/hooks/ on RHEL-6.7 | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Prasanth <pprakash> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.6 | CC: | annair, asengupt, asrivast, dwalsh, jherrman, lvrabec, mgrepl, mmalik, nlevinki, nsathyan, plautrba, pprakash, pvrabec, rcyriac, rhs-bugs, sbhaloth, sgraf, ssekidde, tlavigne, vagarwal | |
Target Milestone: | pre-dev-freeze | |||
Target Release: | 6.6 | |||
Hardware: | Unspecified | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Previously, SELinux was unintentionally preventing the Bash shell from executing various hook scripts in the /var/lib/glusterd/hooks/ directory. SELinux policy rules have been adjusted to allow for correct handling of various gluster-related services, such as smb, nmb, or ctdb. As a result, the affected hook scripts can now be executed properly.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1232692 (view as bug list) | Environment: | ||
Last Closed: | 2015-07-22 07:13:48 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1212796, 1215637, 1216941, 1232692 |
Description
Prasanth
2015-04-27 11:09:12 UTC
Could you tell us more about type=AVC msg=audit(1429776701.947:1188): avc: denied { create } for pid=9837 comm="sed" name="sedwkoNGp" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:samba_etc_ t:s0 tclass=file (In reply to Miroslav Grepl from comment #1) > Could you tell us more about > > type=AVC msg=audit(1429776701.947:1188): avc: denied { create } for > pid=9837 comm="sed" name="sedwkoNGp" > scontext=unconfined_u:system_r:glusterd_t:s0 > tcontext=system_u:object_r:samba_etc_ > t:s0 tclass=file I'm not seeing the above AVC anymore in the latest selinux-policy build, but could see the following: #### [root@dhcp43-33 audit]# rpm -qa |grep selinux libselinux-2.0.94-5.8.el6.x86_64 libselinux-utils-2.0.94-5.8.el6.x86_64 libselinux-python-2.0.94-5.8.el6.x86_64 selinux-policy-3.7.19-276.el6.noarch selinux-policy-targeted-3.7.19-276.el6.noarch [root@dhcp43-33 audit]# grep "AVC" audit.log type=AVC msg=audit(1434458009.234:5445): avc: denied { execute } for pid=19031 comm="glusterd" name="S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file type=AVC msg=audit(1434458016.776:5446): avc: denied { getattr } for pid=19092 comm="S29CTDBsetup.sh" path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir type=AVC msg=audit(1434458016.793:5447): avc: denied { getattr } for pid=19100 comm="S30samba-start." path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir #### ----- [root@dhcp43-33 audit]# cat audit.log |audit2allow #============= glusterd_t ============== allow glusterd_t auditd_log_t:dir getattr; allow glusterd_t glusterd_var_lib_t:file execute; ----- Do you know if this is also part of the fixes that are going to land in the next build or is it something new? type=AVC msg=audit(1434458009.234:5445): avc: denied { execute } for pid=19031 comm="glusterd" name="S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file This is a new issue. So we have another executables in /var/lib/gluster. What are you getting in permissive mode? In Permissive mode, I'm seeing the following after create/start/delete of a gluster volume: ######### [root@dhcp43-33 audit]# getenforce Permissive type=AVC msg=audit(1434526391.609:6307): avc: denied { getattr } for pid=23170 comm="S29CTDBsetup.sh" path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir type=AVC msg=audit(1434526436.236:6308): avc: denied { getattr } for pid=23250 comm="S29CTDB-teardow" path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir type=AVC msg=audit(1434526442.032:6309): avc: denied { execute } for pid=23298 comm="glusterd" name="S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file type=AVC msg=audit(1434526442.032:6309): avc: denied { execute_no_trans } for pid=23298 comm="glusterd" path="/var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file ######### Yes, we have some new another executables in /var/lib/glusterd/hooks. See below: ############# [root@dhcp43-33 1]# pwd /var/lib/glusterd/hooks/1 [root@dhcp43-33 1]# ls -alZ ./*/* ./add-brick/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. -rwxr--r--. root root system_u:object_r:bin_t:s0 disabled-quota-root-xattr-heal.sh ./add-brick/pre: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. -rwxr--r--. root root system_u:object_r:bin_t:s0 S28Quota-enable-root-xattr-heal.sh ./copy-file/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./copy-file/pre: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./create/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./create/pre: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./delete/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. -rwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.py -rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyc -rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyo ./delete/pre: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./gsync-create/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./gsync-create/pre: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./remove-brick/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./remove-brick/pre: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./reset/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. -rwxr--r--. root root system_u:object_r:bin_t:s0 S31ganesha-reset.sh ./reset/pre: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./set/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. -rwxr--r--. root root system_u:object_r:bin_t:s0 S30samba-set.sh -rwxr--r--. root root system_u:object_r:bin_t:s0 S31ganesha-set.sh -rwxr--r--. root root system_u:object_r:bin_t:s0 S32gluster_enable_shared_storage.sh ./set/pre: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./start/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. -rwxr--r--. root root system_u:object_r:bin_t:s0 S29CTDBsetup.sh -rwxr--r--. root root system_u:object_r:bin_t:s0 S30samba-start.sh ./start/pre: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./stop/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. ./stop/pre: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. -rwxr--r--. root root system_u:object_r:bin_t:s0 S29CTDB-teardown.sh -rwxr--r--. root root system_u:object_r:bin_t:s0 S30samba-stop.sh ############# Is it possible to fix everything under this directory "/var/lib/glusterd/hooks" for any existing and new executables so that we don't come across these AVC's again in future? diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 835302a..0550ea4 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -396,6 +396,7 @@ ifdef(`distro_suse', ` /var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0) /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) It could be enough. The point is there can be located a file which is writable and some more general labeling like /var/lib/glusterd/hooks(/.*)? -- gen_context(system_u:object_r:bin_t,s0) could be wrong. But if you tell us there will be located only executables shipped by cluster I will add this general labeling. (In reply to Miroslav Grepl from comment #6) > It could be enough. The point is there can be located a file which is > writable and some more general labeling like > > /var/lib/glusterd/hooks(/.*)? -- gen_context(system_u:object_r:bin_t,s0) > > could be wrong. But if you tell us there will be located only executables > shipped by cluster I will add this general labeling. AFAIK, by default, this directory contains only the executables that are shipped by the gluster packages. But I believe it's designed in such a way that any admin can add executables later to this location as well, based on their requirement. But I would like to get it confirmed here by the concerned devel member so that you can add the appropriate labelling. Avra, could you please check Comment 6 and provide your comments? /var/lib/glusterd/hooks contains hook scripts, which are scripts shipped along with gluster. These scripts can be modified by the admin, and the admin can add new scripts in this location as well. I hope this information is enough to add the appropriate labelling. Please let me know if any other info is needed. The point is if /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) or we want to add /var/lib/glusterd/hooks(/.*)? gen_context(system_u:object_r:bin_t,s0) to be sure we cover all executables here. Currently we have only bash scripts in /var/lib/glusterd/hooks/. So right now we should stick to only /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) and not give the farm away by allowing everything. (In reply to Avra Sengupta from comment #10) > Currently we have only bash scripts in /var/lib/glusterd/hooks/. So right > now we should stick to only > > /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) > > and not give the farm away by allowing everything. Avra, I don't think this is true anymore as I do see a python script included in the hooks directory. See below: ######## [root@dhcp43-33 1]# pwd /var/lib/glusterd/hooks/1 ./delete/post: drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .. -rwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.py -rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyc -rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyo ######## Could you please check and confirm? Sorry my bad. We can have the following in that case /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1375.html |