Bug 1234847

Summary: [SELinux] crond complains Unauthorized SELinux context=... when reading files labeled cifs_t, nfs_t, fusefs_t - RHEL-7.2
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: high    
Version: 7.1CC: jherrman, jkurik, ksrot, lvrabec, mgrepl, mmalik, plautrba, pprakash, pvrabec, ssekidde
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-30.el7 Doc Type: Bug Fix
Doc Text:
Prior to this update, the crond service was not able to read files placed on the NFS, CIFS, and FUSE file systems. This update introduces the cron_system_cronjob_use_shares Boolean, which enables crond to use these file systems. As a result, the described problem no longer occurs.
 Story Points: ---
Clone Of:
: 1238978 (view as bug list) Environment:
Last Closed: 2015-11-19 10:37:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1212796, 1231647, 1238978, 1239269, 1239270    
Attachments:
Description Flags
Audit log for comment 13 none

Description Milos Malik 2015-06-23 11:32:54 UTC 
Description of problem:
 * not sure if the problem is in selinux-policy or in crond
 * but there are no AVCs, USER_AVCs or SELINUX_ERRs logged

Version-Release number of selected component (if applicable):
cronie-1.4.11-13.el7.x86_64
cronie-anacron-1.4.11-13.el7.x86_64
crontabs-1.11-6.20121102git.el7.noarch
selinux-policy-3.13.1-29.el7.noarch
selinux-policy-devel-3.13.1-29.el7.noarch
selinux-policy-doc-3.13.1-29.el7.noarch
selinux-policy-minimum-3.13.1-29.el7.noarch
selinux-policy-mls-3.13.1-29.el7.noarch
selinux-policy-sandbox-3.13.1-29.el7.noarch
selinux-policy-targeted-3.13.1-29.el7.noarch

How reproducible:
always

Steps to Reproduce:
# chcon -t fusefs_t /etc/cron.d/sysstat
# service crond restart
Redirecting to /bin/systemctl restart  crond.service
# grep context /var/log/cron
Jun 23 13:29:48 rhel71 crond[7235]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:fusefs_t:s0 (/etc/cron.d/sysstat)
#

Actual results:
 * crond is unable to read a file placed on NFS, CIFS or FUSE filesystem

Expected results:
 * crond is able to read a file placed on NFS, CIFS or FUSE filesystem

Additional info (seen in /var/log/cron on different machines):
Jun 22 18:04:04 rhsqe-vm05 crond[32188]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:fusefs_t:s0 (/etc/cron.d/glusterfs_snap_cron_tasks.orig)

Jun 23 12:21:57 rhel71 crond[2176]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:nfs_t:s0 (/etc/cron.d/sysstat)

Jun 23 13:23:16 rhel71 crond[5101]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:cifs_t:s0 (/etc/cron.d/sysstat)
Comment 1 Miroslav Grepl 2015-06-23 12:10:22 UTC 
Ok this is a problem. What scenario are you testing here?

crond has a SELinux functionality to check if a job can run within a correct cronjob SELinux type. It is done using entrypoint permission. But we have fuse_t instead of system_cron_spool_t here.

allow system_cronjob_t system_cron_spool_t : file entrypoint;

If you add this rule for fuse_t it should work.
Comment 2 Milos Malik 2015-06-23 13:03:01 UTC 
# sesearch -s system_cronjob_t -t system_cron_spool_t -c file -p entrypoint -A -C
Found 1 semantic av rules:
   allow system_cronjob_t system_cron_spool_t : file { ioctl read write create getattr setattr lock append unlink link rename entrypoint open } ; 
#

You meant to add following rule, which is not present in current policy:

allow system_cronjob_t fusefs_t:file entrypoint;
Comment 4 Miroslav Grepl 2015-06-25 12:13:04 UTC 
This is not something what we want to allow by default. This is a custom setup and I am thinking either about a boolean or about a local policy shipped by Gluster.
Comment 5 Prasanth 2015-06-29 10:30:55 UTC 
(In reply to Miroslav Grepl from comment #4)
> This is not something what we want to allow by default. This is a custom
> setup and I am thinking either about a boolean or about a local policy
> shipped by Gluster.

Hi Miroslav,

If you have the above mentioned boolean or a local policy ready for testing, could you please share it in Bug 1231647 so that QE can test and confirm back?
Comment 6 Miroslav Grepl 2015-06-29 10:35:49 UTC 
Could you test it with the following local policy module

# cat mygluster.te
policy_module(mygluster, 1.0)

require{
 type gluster_t;
 type nfs_t;
 type cifs_t;
 type fusefs_t;
}

allow gluster_t nfs_t:file entrypoint;
allow gluster_t cifs_t:file entrypoint;
allow gluster_t fusefs_t:file entrypoint;

# make -f /usr/share/selinux/devel/Makefile mygluster.pp
# semodule -i mygluster.pp
Comment 7 Miroslav Grepl 2015-06-29 10:39:07 UTC 
Oops, I apologize. There it should be

# cat mygluster.te
policy_module(mygluster, 1.0)

require{
 type system_cronjob_t;
 type nfs_t;
 type cifs_t;
 type fusefs_t;
}

allow system_cronjob_t nfs_t:file entrypoint;
allow system_cronjob_t cifs_t:file entrypoint;
allow system_cronjob_t fusefs_t:file entrypoint;
Comment 8 senaik 2015-07-01 11:49:16 UTC 
Followed steps as mentioned in Comment 7 and scheduler was able to create snapshots.

 snap_scheduler.py list
JOB_NAME         SCHEDULE         OPERATION        VOLUME NAME      
--------------------------------------------------------------------
A1               */5 * * * *      Snapshot Create  vol0             


[root@rhsqe-vm06 ~]# tail -f /var/log/glusterfs/gcron.log 
[2015-07-01 12:45:19,802 gcron.py:100 doJob] INFO Job Scheduled-A1-vol0 succeeded
[2015-07-01 12:50:01,968 gcron.py:178 main] DEBUG locking_file = /var/run/gluster/shared_storage/snaps/lock_files/A1
[2015-07-01 12:50:01,969 gcron.py:179 main] DEBUG volname = vol0
[2015-07-01 12:50:01,969 gcron.py:180 main] DEBUG jobname = A1
[2015-07-01 12:50:01,981 gcron.py:96 doJob] DEBUG /var/run/gluster/shared_storage/snaps/lock_files/A1 last modified at Wed Jul  1 12:45:19 2015
[2015-07-01 12:50:01,981 gcron.py:98 doJob] DEBUG Processing job Scheduled-A1-vol0
[2015-07-01 12:50:01,982 gcron.py:68 takeSnap] DEBUG Running command 'gluster snapshot create Scheduled-A1-vol0 vol0'
[2015-07-01 12:50:20,747 gcron.py:75 takeSnap] DEBUG Command 'gluster snapshot create Scheduled-A1-vol0 vol0' returned '0'
[2015-07-01 12:50:20,747 gcron.py:83 takeSnap] INFO Snapshot of vol0 successful
[2015-07-01 12:50:20,747 gcron.py:100 doJob] INFO Job Scheduled-A1-vol0 succeeded


gluster snapshot list |wc -l 
254


getenforce
Enforcing

rpm -qa |grep selinux
libselinux-debuginfo-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-29.el7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-devel-3.13.1-29.el7.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-29.el7.noarch

I tried this on a 2 node cluster and found that only one node was picking uo the job , need to look into this further
Comment 11 senaik 2015-07-03 12:40:01 UTC 
Tried the latest policy update. With that the file /etc/cron.d/glusterfs_snap_cron_tasks is being picked up by crond. However because /etc/cron.d/gcron_update_task is created by renaming it from a tmp file created in /tmp/crontab it has a different file context which prevents it from being picked up by crond.

In order to resolve this, we need to create /etc/cron.d/gcron_update_task by renaming it from a tmp file created in /var/run/gluster/shared_storage/snaps/tmp_file.


But even with the above change I don't see crond reloading /etc/cron.d/glusterfs_snap_cron_tasks whenever the modified time of the file changes. Am not sure is this is a crond bug for rhel 7.1 or not, but it seems not to reload a file even though the file's last modified time is changed.
Comment 13 senaik 2015-07-13 12:18:57 UTC 
Installed the latest Selinux policy build, Scheduler still fails to create snapshots with SELinux in 'Enforcing' mode 

Jul 13 17:21:02 rhsqe-vm05 crond[9994]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:fusefs_t:s0 (/etc/cron.d/glusterfs_snap_cron_tasks)
Jul 13 17:21:02 rhsqe-vm05 crond[9994]: (root) FAILED (loading cron table)
Jul 13 17:21:02 rhsqe-vm05 CROND[10504]: (root) CMD (PATH=$PATH:/usr/local/sbin:/usr/sbin gcron.py --update)
Jul 13 17:22:01 rhsqe-vm05 CROND[10509]: (root) CMD (PATH=$PATH:/usr/local/sbin:/usr/sbin gcron.py --update)
Jul 13 17:23:01 rhsqe-vm05 CROND[10514]: (root) CMD (PATH=$PATH:/usr/local/sbin:/usr/sbin gcron.py --update)

rpm -qa |grep selinux
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-devel-3.13.1-31.el7.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-31.el7.noarch
selinux-policy-targeted-3.13.1-31.el7.noarch

Set SELinux to 'Permissive' and Scheduler creates snapshots successfully. 

Moving the bug back to 'Assigned'
Comment 14 senaik 2015-07-13 12:28:46 UTC 
Created attachment 1051390 [details]
Audit log for comment 13
Comment 15 Milos Malik 2015-07-13 13:11:33 UTC 
Does it work when you enable the cron_system_cronjob_use_shares boolean?
Comment 18 senaik 2015-07-15 09:21:07 UTC 
I have enabled the boolean as mentioned and Scheduler is able to create snapshots 

getsebool -a |grep cron_system_cronjob_use_shares
cron_system_cronjob_use_shares --> on

rpm -qa |grep selinux
libselinux-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-32.el7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-32.el7.noarch

snap_scheduler.py list
JOB_NAME         SCHEDULE         OPERATION        VOLUME NAME      
--------------------------------------------------------------------
RHEL7_JOB1       */5 * * * *      Snapshot Create  volume0     

gluster snapshot list 
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-07.45.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-07.50.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-07.55.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-08.00.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-08.05.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-08.10.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-08.15.01


[2015-07-15 14:50:01,627 gcron.py:96 doJob] DEBUG /var/run/gluster/shared_storage/snaps/lock_files/RHEL7_JOB1 last modified at Wed Jul 15 14:45:05 2015
[2015-07-15 14:50:01,628 gcron.py:98 doJob] DEBUG Processing job Scheduled-RHEL7_JOB1-volume0
[2015-07-15 14:50:01,628 gcron.py:68 takeSnap] DEBUG Running command 'gluster snapshot create Scheduled-RHEL7_JOB1-volume0 volume0'
[2015-07-15 14:50:05,869 gcron.py:75 takeSnap] DEBUG Command 'gluster snapshot create Scheduled-RHEL7_JOB1-volume0 volume0' returned '0'
[2015-07-15 14:50:05,870 gcron.py:83 takeSnap] INFO Snapshot of volume0 successful
[2015-07-15 14:50:05,871 gcron.py:100 doJob] INFO Job Scheduled-RHEL7_JOB1-volume0 succeeded
Comment 19 senaik 2015-07-15 09:22:12 UTC 
cleared need info while adding comment18, adding it back
Comment 23 errata-xmlrpc 2015-11-19 10:37:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html