Bug 1219317
| Summary: | Update SELinux policies for Samba and CTDB in RHEL 6.6 | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jose A. Rivera <jarrpa> | ||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||||
| Severity: | urgent | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 6.6 | CC: | dwalsh, jarrpa, lvrabec, mgrepl, mmalik, plautrba, pvrabec, sbhaloth, sgraf, ssekidde, tlavigne | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | selinux-policy-3.7.19-268.el6 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2015-07-22 07:14:03 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 1208420 | ||||||||||
| Attachments: |
|
||||||||||
From Milos: I don't know what is the purpose of files in /etc/ctdb/events.d/ directory, but I believe they should be labeled bin_t, because they are shell scripts and they are executed by ctdb_event_helper. Now they are labeled etc_t which implies that they contain some kind of configuration, which is not true. If they were labeled bin_t, there would be less AVCs. Permanent labeling for files in /etc/ctdb/events.d/ can be enabled via following commands: # semanage fcontext -a -f '' -t bin_t '/etc/ctdb/events.d/.*' # restorecon -Rv /etc/ctdb Permanent labeling for files in /etc/ctdb/events.d/ can be disabled via following commands: # semanage fcontext -d -f '' -t bin_t '/etc/ctdb/events.d/.*' # restorecon -Rv /etc/ctdb You can list the local file context customizations via following command: # semanage fcontext -l -C SELinux fcontext type Context /etc/ctdb/events.d/.* all files system_u:object_r:bin_t:s0 /var/log/core(/.*)? all files system_u:object_r:virt_cache_t:s0 # There is a special policy module loaded on both machines. This policy module contains additional policy rules, which were missing in default policy and which caused the AVCs. You can find it via following command: # semodule -l | grep mypolicy mypolicy 1.0 # In /root directory you can find mypolicy.te (source code of the policy module) file and mypolicy.pp (compiled code of the policy module). If you want to remove the policy module then run: semodule -r mypolicy If you want to insert the policy module again then run: semodule -i mypolicy.pp Based on AVCs which remained, it seems that the smb service wants to load the ipv6 kernel module. Therefore I recommend to enable the domain_kernel_load_modules boolean. You can permanently enable it via: # setsebool -P domain_kernel_load_modules on or disable it via: # setsebool -P domain_kernel_load_modules off Can we get AVCs needed for mypol.te? Created attachment 1025052 [details]
AVCs from first machine
Created attachment 1025053 [details]
AVCs from second machine
Tried on RHEL6.7 with following versions of:
glusterfs:
glusterfs-3.7.0beta2-0.2.gitc1cd4fa.el6.x86_64
Samba:
samba-4.1.17-5.el6.x86_64
Selinux:selinux-policy-3.7.19-267.el6.noarch
Service smb starts without logging any AVC.
After starting smb service if try to mount the gluster volume on cifs getting following AVC's:
type=AVC msg=audit(1431930264.825:77): avc: denied { write } for pid=6245 comm="glusterd" name="glusterd.socket" dev=dm-0 ino=784323 scontext=uncon
fined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1431930264.826:78): avc: denied { unlink } for pid=6245 comm="glusterd" name="glusterd.socket" dev=dm-0 ino=784323 scontext=unco
nfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1431930277.984:79): avc: denied { execute } for pid=6334 comm="glusterd" name="S29CTDBsetup.sh" dev=dm-0 ino=784303 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1431930277.984:79): avc: denied { execute_no_trans } for pid=6334 comm="glusterd" path="/var/lib/glusterd/hooks/1/start/post/S29CTDBsetup.sh" dev=dm-0 ino=784303 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1431930277.989:80): avc: denied { execute } for pid=6335 comm="S29CTDBsetup.sh" name="hostname" dev=dm-0 ino=130329 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=AVC msg=audit(1431930277.989:81): avc: denied { execute_no_trans } for pid=6335 comm="S29CTDBsetup.sh" path="/bin/hostname" dev=dm-0 ino=130329 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=AVC msg=audit(1431930278.019:82): avc: denied { execute } for pid=6353 comm="S30samba-start." name="smbd" dev=dm-0 ino=925890 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file
type=AVC msg=audit(1431930278.019:83): avc: denied { execute_no_trans } for pid=6353 comm="S30samba-start." path="/usr/sbin/smbd" dev=dm-0 ino=925890 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file
type=AVC msg=audit(1431930278.187:84): avc: denied { signal } for pid=6338 comm="S30samba-start." scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:smbd_t:s0 tclass=process
type=AVC msg=audit(1431930685.513:97): avc: denied { search } for pid=6458 comm="smbd" name="glusterfs" dev=dm-0 ino=269456 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir
type=AVC msg=audit(1431930685.514:98): avc: denied { search } for pid=6458 comm="smbd" name="glusterfs" dev=dm-0 ino=269456 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir
type=AVC msg=audit(1431930685.532:99): avc: denied { search } for pid=6458 comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1431930685.533:100): avc: denied { name_bind } for pid=6458 comm="smbd" src=1023 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1431930685.534:101): avc: denied { name_connect } for pid=6458 comm="smbd" dest=24007 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=tcp_socket
Have created another BZ https://bugzilla.redhat.com/show_bug.cgi?id=1221929 for mount issue.Will provide the logs in the bz.
commit a30bb467a268e913e44c43a20d486a9e6ebba126
Author: Miroslav Grepl <mgrepl>
Date: Tue May 19 12:50:03 2015 +0200
Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.
commit 1636395b6882038083bd85f0799ee5d6bc7bf371
Author: Miroslav Grepl <mgrepl>
Date: Tue May 19 12:35:05 2015 +0200
Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.
commit 8f46f8bab5be1ea8df4055e7728a715e14fab257
Author: Miroslav Grepl <mgrepl>
Date: Tue May 19 12:51:54 2015 +0200
ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.
Could you please test it with https://brewweb.devel.redhat.com/taskinfo?taskID=9198180 With the latest build provided today by Miroslav : https://brewweb.devel.redhat.com/buildinfo?buildID=437561 None of the AVC's are seen for gluster-samba. Verified with both enforcing mode and permissive mode. This is been verified on RHEL6.7. Need a backport for RHEL6.6 and fix is required for RHEL7.1 as well. Updated BZ https://bugzilla.redhat.com/show_bug.cgi?id=1221929 Clearing the needinfo flag. ;) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1375.html |
Created attachment 1022875 [details] Samba/CTDB SELinux policies RHS is a layered product on top of RHEL that provides more advanced versions of Samba and CTDB (4.1.14 and 2.5.4, respectively, in the latest release). The SELinux policies should be extended to cover the needs of these versions (in addition to the current RHEL6.6 versions). I've put together a preliminary set of policies that I believe begin to accomplish this. I took the samba and ctdb policies from RHEL7.1, commented out/renamed things that don't exist in RHEL6.6, and applied it. Samba/CTDB services ran without noticeable problems though there were still several AVCs. I asked Milos (mmalik) for a hand in reviewing these policies, and he suggested a number of additions to the policies and configurations. I'm not sure how to include all those in RPM packaging. I'll be including his message as a reply to this BZ. Please find the proposed policies attached as *.te and *.pp files in a tgz. They are named as follows: samba - Backport of RHEL7 policy ctdbd - Backport of RHEL7 policy (named ctdb in RHEL7) mypol - stray AVC I noticed, possibly RHEL7 bug? mypolicy - Changes/additions suggested by mmalik