Bug 1215637
| Summary: | [SELinux] [RHGS-3.1] AVC's of all the executable hooks under /var/lib/glusterd/hooks/ on RHEL-6.7 | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Prasanth <pprakash> |
| Component: | glusterfs | Assignee: | Anand Nekkunti <anekkunt> |
| Status: | CLOSED ERRATA | QA Contact: | surabhi <sbhaloth> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | rhgs-3.1 | CC: | annair, ashah, asrivast, nlevinki, nsathyan, pprakash, rcyriac, rjoseph, sbhaloth, sgraf, ssampat, vagarwal, vbellur |
| Target Milestone: | --- | ||
| Target Release: | RHGS 3.1.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | SELinux | ||
| Fixed In Version: | selinux-policy-3.7.19-278.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-29 04:42:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1215632 | ||
| Bug Blocks: | 1202842, 1212796 | ||
This problem is related to samba not glusterd , samba needs selinux permission to execute commands in /bin/. Selinix rules need to modify for that.
While disabling cluster.enable-shared-storage, saw logs messages
========================================================
un 16 14:41:40 darkknightrises setroubleshoot: SELinux is preventing /usr/bin/python from execute access on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py. For complete SELinux messages. run sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4
Version-Release number of selected component (if applicable):
[root@darkknightrises ~]# rpm -qa | grep glusterfs
glusterfs-3.7.1-3.el6rhs.x86_64
glusterfs-cli-3.7.1-3.el6rhs.x86_64
glusterfs-libs-3.7.1-3.el6rhs.x86_64
glusterfs-client-xlators-3.7.1-3.el6rhs.x86_64
glusterfs-fuse-3.7.1-3.el6rhs.x86_64
glusterfs-server-3.7.1-3.el6rhs.x86_64
glusterfs-debuginfo-3.7.1-3.el6rhs.x86_64
samba-vfs-glusterfs-4.1.17-4.el6rhs.x86_64
glusterfs-api-3.7.1-3.el6rhs.x86_64
glusterfs-geo-replication-3.7.1-3.el6rhs.x86_64
Selinux Version:
===============================
[root@darkknightrises ~]# rpm -qa |grep selinux
selinux-policy-targeted-3.7.19-276.el6.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-276.el6.noarch
libselinux-python-2.0.94-5.8.el6.x86_64
How reproducible:
Steps to Reproduce:
1. Create 2*2 distribute-replicate volume
2. gluster vol set all audit.logcluster.enable-shared-storage enable
3. gluster vol set all audit.logcluster.enable-shared-storage disable
Actual results:
ss on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py. For complete SELinux messages. run sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4
Jun 16 14:41:40 darkknightrises setroubleshoot: SELinux is preventing /usr/bin/python from execute access on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py. For complete SELinux messages. run sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4
===================================================
[root@darkknightrises ~]# sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4
SELinux is preventing /usr/bin/python from execute access on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py.
***** Plugin leaks (86.2 confidence) suggests ******************************
If you want to ignore python trying to execute access the S57glusterfind-delete-post.py file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/python /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
***** Plugin catchall (14.7 confidence) suggests ***************************
If you believe that python should be allowed execute access on the S57glusterfind-delete-post.py file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep S57glusterfind- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:system_r:glusterd_t:s0
Target Context system_u:object_r:glusterd_var_lib_t:s0
Target Objects /var/lib/glusterd/hooks/1/delete/post
/S57glusterfind-delete-post.py [ file ]
Source S57glusterfind-
Source Path /usr/bin/python
Port <Unknown>
Host darkknightrises
Source RPM Packages python-2.6.6-64.el6.x86_64
Target RPM Packages glusterfs-server-3.7.1-3.el6rhs.x86_64
Policy RPM selinux-policy-3.7.19-276.el6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name darkknightrises
Platform Linux darkknightrises 2.6.32-565.el6.x86_64 #1 SMP
Tue Jun 2 14:53:05 EDT 2015 x86_64 x86_64
Alert Count 1
First Seen Tue 16 Jun 2015 02:41:35 PM IST
Last Seen Tue 16 Jun 2015 02:41:35 PM IST
Local ID 013c2865-34ab-4e95-a530-cb114d895ce4
Raw Audit Messages
type=AVC msg=audit(1434445895.917:8072): avc: denied { execute } for pid=16463 comm="glusterd" name="S57glusterfind-delete-post.py" dev=dm-0 ino=1573216 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1434445895.917:8072): avc: denied { execute_no_trans } for pid=16463 comm="glusterd" path="/var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py" dev=dm-0 ino=1573216 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1434445895.917:8072): arch=x86_64 syscall=execve success=yes exit=0 a0=7fb628008d90 a1=7fb628008b40 a2=7fb645e9b060 a3=8 items=0 ppid=13437 pid=16463 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm=S57glusterfind- exe=/usr/bin/python subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
Hash: S57glusterfind-,glusterd_t,glusterd_var_lib_t,file,execute
audit2allow
#============= glusterd_t ==============
allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans };
audit2allow -R
#============= glusterd_t ==============
allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans };
======================================================
Audit logs:
======================================
type=SYSCALL msg=audit(1434437797.854:7177): arch=c000003e syscall=42 success=no exit=-115 a0=27 a1=7fd9a89ff0a8 a2=10 a3=0 items=0 ppid=14611 pid=15129 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1434437798.038:7178): avc: denied { name_bind } for pid=15140 comm="smbd" src=990 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1434437798.038:7178): arch=c000003e syscall=49 success=no exit=-98 a0=38 a1=7fd9b10ec150 a2=10 a3=4a items=0 ppid=14611 pid=15140 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1434437798.044:7179): avc: denied { name_bind } for pid=15141 comm="smbd" src=995 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1434437798.044:7179): arch=c000003e syscall=49 success=no exit=-98 a0=39 a1=7fd9b115c640 a2=10 a3=4a items=0 ppid=14611 pid=15141 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
=====================================
type=AVC msg=audit(1434448984.506:7950): avc: denied { execute } for pid=12278 comm="glusterd" name="S57glusterfind-delete-post.py" dev=dm-2 ino=17433095 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
*** Bug 1232217 has been marked as a duplicate of this bug. *** <snip>
time->Tue Apr 28 11:35:30 2015
type=SYSCALL msg=audit(1430220930.760:245): arch=c000003e syscall=59 success=no exit=-8 a0=7f25d0008cb0 a1=7f25d0008a60 a2=c5ef10 a3=8 items=0 ppid=29524 pid=4082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1430220930.760:245): avc: denied { execute_no_trans } for pid=4082 comm="glusterd" path="/var/lib/glusterd/hooks/1/reset/post/S31ganesha-reset.sh" dev=dm-0 ino=522737 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1430220930.760:245): avc: denied { execute } for pid=4082 comm="glusterd" name="S31ganesha-reset.sh" dev=dm-0 ino=522737 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
----
time->Tue Apr 28 11:35:30 2015
type=SYSCALL msg=audit(1430220930.779:246): arch=c000003e syscall=0 success=yes exit=155 a0=5 a1=3db06118c0 a2=3ff a3=0 items=0 ppid=4082 pid=4084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1430220930.779:246): avc: denied { sys_ptrace } for pid=4084 comm="ps" capability=19 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.ZrfFAZ | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.z5f4z9 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-260.el6.noarch
</snip>
*** Bug 1217198 has been marked as a duplicate of this bug. *** With SELinux policy selinux-policy-3.7.19-279.el6.noarch, there are no AVC's seen related to SMB/CTDB hook scripts on RHEL6.7. Marking the BZ to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html |
Description of problem: SELinux is preventing /bin/bash from using the signal access on a process See AVC messages from /var/log/audit/audit.log below: ###### type=AVC msg=audit(1429776701.631:1186): avc: denied { execute } for pid=9815 comm="S30samba-stop.s" name="smbd" dev=dm-0 ino=152897 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1429776701.631:1186): arch=c000003e syscall=21 success=yes exit=0 a0=fe9ae0 a1=1 a2=0 a3=f items=0 ppid=9814 pid=9815 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="S30samba-stop.s" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1429776701.633:1187): avc: denied { execute_no_trans } for pid=9815 comm="S30samba-stop.s" path="/usr/sbin/smbd" dev=dm-0 ino=152897 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file type=AVC msg=audit(1429776701.954:1189): avc: denied { signal } for pid=9812 comm="S30samba-stop.s" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:smbd_t:s0 tclass=process type=SYSCALL msg=audit(1429776701.954:1189): arch=c000003e syscall=62 success=yes exit=0 a0=c7c a1=1 a2=0 a3=c7c items=0 ppid=3810 pid=9812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="S30samba-stop.s" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null) ###### Version-Release number of selected component (if applicable): ##### glusterfs-fuse-3.7dev-0.1009.git8b987be.el6.x86_64 glusterfs-cli-3.7dev-0.1009.git8b987be.el6.x86_64 glusterfs-3.7dev-0.1009.git8b987be.el6.x86_64 glusterfs-server-3.7dev-0.1009.git8b987be.el6.x86_64 glusterfs-libs-3.7dev-0.1009.git8b987be.el6.x86_64 glusterfs-api-3.7dev-0.1009.git8b987be.el6.x86_64 samba-vfs-glusterfs-4.1.17-4.el6rhs.x86_64 ##### How reproducible: Always Steps to Reproduce: 1. Install the RHEL6 glusterfs 3.7 nightly builds from http://download.gluster.org/pub/gluster/glusterfs/nightly/glusterfs-3.7/epel-6-x86_64/ 2. Create a volume and start it 3. Check for the AVC's in /var/log/audit/audit.log . Actual results: Above mentioned AVC is seen in the logs. Expected results: If you believe that bash should be allowed signal access on processes labeled smbd_t by default, please consider fixing it. Document URL: Section Number and Name: Describe the issue: Suggestions for improvement: Additional information: Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: