Bug 1231377

Summary: new sanlock config file
Product: Red Hat Enterprise Linux 7 Reporter: David Teigland <teigland>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, teigland
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-39.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:36:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Teigland 2015-06-12 21:16:49 UTC 
Description of problem:

In 7.2 a config file is being added for the sanlock daemon,
/etc/sanlock/sanlock.conf

The sanlock rpm will install a sample config file.

In the past, I think that new files like this have required an update to the selinux policy for sanlock.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Miroslav Grepl 2015-07-16 08:09:26 UTC 
What does

rpm -qf /etc/sanlock
Comment 2 Milos Malik 2015-07-16 08:16:53 UTC 
# rpm -qf /etc/sanlock/
sanlock-3.2.4-1.el7.x86_64
# rpm -qf /etc/sanlock/sanlock.conf 
sanlock-3.2.4-1.el7.x86_64
#
Comment 3 Miroslav Grepl 2015-08-05 07:40:09 UTC 
Is this config file writable by sanlock daemon? If no, we don't need to add labeling.
Comment 4 David Teigland 2015-08-05 14:25:36 UTC 
The spec file has:

install -D -m 0644 src/sanlock.conf \
        $RPM_BUILD_ROOT/etc/sanlock/sanlock.conf

which results in:

ls -l /etc/sanlock/sanlock.conf 
-rw-r--r--. 1 root root 648 Jun 19 12:48 /etc/sanlock/sanlock.conf

which looks standard for other files in /etc.

The sanlock daemon creates a root helper process, and then changes its uid/gid to sanlock/sanlock.

So, while running as root sanlock could write sanlock.conf, but after changing to uid sanlock, I suppose it couldn't.  I hope that answers the question.
Comment 5 Miroslav Grepl 2015-08-06 15:43:53 UTC 
It does not matter from SELinux point of view if we talk about root or sanlock user. sanlock will have sanlock_t and will write own config files.
Comment 9 errata-xmlrpc 2015-11-19 10:36:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html