Bug 1235637

Summary: [SELinux] SMB: SELinux policy to be set for /usr/sbin/ctdbd_wrapper -RHEL-7.2
Product: Red Hat Enterprise Linux 7 Reporter: Prasanth <pprakash>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CANTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.1CC: jkurik, lvrabec, mgrepl, mmalik, nlevinki, plautrba, pprakash, pvrabec, rhs-smb, sbhaloth, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1235613 Environment:
Last Closed: 2015-07-03 07:38:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1235613    
Bug Blocks: 1212796    

Description Prasanth 2015-06-25 11:56:07 UTC 
+++ This bug was initially created as a clone of Bug #1235613 +++

Description of problem:
**************************************
CTDB nodes not coming to healthy state after starting ctdb service.
SELinux is set to enforcing.

type=AVC msg=audit(06/25/2015 02:45:46.844:2625) : avc:  denied  { write } for  pid=22921 comm=net name=ctdbd.socket dev=dm-0 ino=1443389 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file 

If we check the context for socket file :
srwx------. root root unconfined_u:object_r:var_run_t:s0 /var/run/ctdb/ctdbd.socket

after running restorecon -R -v /var/run/ctdb/ctdbd.socket we are again getting the correct context..

After analysis and debugging from development team it looks like the ctdb context has to be set on /usr/sbin/ctdbd_wrapper because this is creating the /var/run/ctdb directory and it will apply the context on the contents of this directory.
When we tried to set the context for /usr/sbin/ctdbd_wrapper , remove /var/run/ctdb and then start ctdb service it works fine.

so we need same attributes to be set for /usr/sbin/ctdbd_wrapper as it is done for /usr/sbin/ctdbd.

Version-Release number of selected component (if applicable):
rpm -qa | grep ctdb
ctdb2.5-2.5.5-2.el6rhs.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install RHEL6.7 , latest gluster rpms, latest samba and ctdb rpms
2. Do ctdb setup
3. Start ctdb service 

Actual results:
CTDB fails to start smb service and remains in UNHEALTHY state.

Expected results:
CTDB should be able to start smb service and should come to HEALTHY state.


Additional info:

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-06-25 06:23:02 EDT ---

This bug is automatically being proposed for Red Hat Gluster Storage 3.1.0 by setting the release flag 'rhgs‑3.1.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.

--- Additional comment from surabhi on 2015-06-25 06:45:16 EDT ---
Comment 1 Milos Malik 2015-06-25 12:29:20 UTC 
It would be better when the /var/run/ctdb directory was part of ctdb RPM package. The directory would be labeled correctly during the package installation. The ctdbd.socket file in /var/run/ctdb directory would inherit its label from the directory, which is default behavior.
Comment 3 Miroslav Grepl 2015-07-03 07:38:23 UTC 
This is not selinux-policy bug.