Bug 1218902
Summary: | [SELinux] [SMB]: RHEL7.1- SELinux policy for all AVC's on Samba and CTDB | ||
---|---|---|---|
Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | surabhi <sbhaloth> |
Component: | samba | Assignee: | Jose A. Rivera <jarrpa> |
Status: | CLOSED ERRATA | QA Contact: | surabhi <sbhaloth> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | rhgs-3.1 | CC: | nlevinki, pprakash, rjoseph, vagarwal |
Target Milestone: | --- | ||
Target Release: | RHGS 3.1.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | SELinux | ||
Fixed In Version: | selinux-policy-3.13.1-23.el7_1.12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-29 04:42:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1202842, 1212796 |
Description
surabhi
2015-05-06 07:32:11 UTC
On a ctdb setup on RHEL7.1 , I still see following AVC's. type=SYSCALL msg=audit(06/25/2015 06:19:22.207:22288) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x3e08 a1=SIG0 a2=0x0 a3=0x0 items=0 ppid=1 pid=15386 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ctdbd exe=/usr/sbin/ctdbd subj=system_u:system_r:ctdbd_t:s0 key=(null) type=AVC msg=audit(06/25/2015 06:19:22.207:22288) : avc: denied { signull } for pid=15386 comm=ctdbd scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process ---- type=SYSCALL msg=audit(06/25/2015 06:19:32.566:22290) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fff1c104608 a1=0x7fff1c1049c8 a2=0x7fff1c104a18 a3=0x7fff1c104440 items=0 ppid=16753 pid=16754 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(06/25/2015 06:19:32.566:22290) : avc: denied { read } for pid=16754 comm=iptables path=/var/lib/ctdb/iptables-ctdb.flock dev="dm-0" ino=67681652 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file With the policy build selinux-policy-3.13.1-23.el7_1.10.noarch selinux-policy-targeted-3.13.1-23.el7_1.10.noarch I still see AVC's in the the logs. type=AVC msg=audit(07/20/2015 03:29:05.507:1188) : avc: denied { block_suspend } for pid=16066 comm=smbd capability=block_suspend scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability2 type=AVC msg=audit(07/20/2015 03:29:05.512:1189) : avc: denied { net_admin } for pid=16066 comm=smbd capability=net_admin scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability The fixes are in the build selinux-policy-3.13.1-33.el7 of RHEL7.2 which needs to be backported to RHEL7.1.z. Moving the bz to assigned until we get a new selinux policy build for RHEL7.1.z After updating to selinux policy selinux-policy-3.13.1-23.el7_1.12 , performing ctdb setup, ctdb failover cases and AD integration, all works fine and there are no AVC's seen on RHEL7 based RHGS ISO. Moving the BZ to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html |