Bug 1238066
| Summary: | libStorageMgmt: SELinux is preventing MegaRAID plugin | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Gris Ge <fge> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 7.2 | CC: | bgoncalv, fge, lvrabec, mgrepl, mhaicman, mmalik, plautrba, pvrabec, riehecky, ssekidde, tasleson | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-94.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1331750 (view as bug list) | Environment: | ||
| Last Closed: | 2016-11-04 02:19:29 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1331750 | |||
|
Description
Gris Ge
2015-07-01 06:42:15 UTC
I will postpone the log posting utile you guys decide to include SELinux policy for third party binary tools. Could you attach SELinux messsages? Thank you. [root@storageqe-07 ~]# grep storcli /var/log/audit/audit.log
type=AVC msg=audit(1452664291.807:87): avc: denied { create } for pid=2524 comm="storcli64" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664291.807:87): arch=c000003e syscall=133 success=no exit=-13 a0=9e6c7a a1=2100 a2=f800 a3=29cef90 items=0 ppid=2523 pid=2524 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1452664291.817:88): avc: denied { create } for pid=2525 comm="storcli64" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664291.817:88): arch=c000003e syscall=133 success=no exit=-13 a0=9e6c7a a1=2100 a2=f800 a3=2bf2350 items=0 ppid=2523 pid=2525 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1452664444.087:115): avc: denied { create } for pid=2575 comm="storcli64" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664444.087:115): arch=c000003e syscall=133 success=yes exit=0 a0=9e6c7a a1=2100 a2=f800 a3=1146f90 items=0 ppid=2574 pid=2575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1452664444.087:116): avc: denied { read } for pid=2575 comm="storcli64" name="megaraid_sas_ioctl_node" dev="devtmpfs" ino=20068 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1452664444.087:116): avc: denied { open } for pid=2575 comm="storcli64" path="/dev/megaraid_sas_ioctl_node" dev="devtmpfs" ino=20068 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664444.087:116): arch=c000003e syscall=2 success=yes exit=5 a0=9e6c7a a1=0 a2=f800 a3=1146f90 items=0 ppid=2574 pid=2575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1452664444.087:117): avc: denied { ioctl } for pid=2575 comm="storcli64" path="/dev/megaraid_sas_ioctl_node" dev="devtmpfs" ino=20068 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664444.087:117): arch=c000003e syscall=16 success=yes exit=0 a0=5 a1=c1944d01 a2=11495f0 a3=1149604 items=0 ppid=2574 pid=2575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1452664444.098:118): avc: denied { getattr } for pid=2576 comm="storcli64" path="/dev/megaraid_sas_ioctl_node" dev="devtmpfs" ino=20068 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664444.098:118): arch=c000003e syscall=4 success=yes exit=0 a0=9e6c7a a1=7ffc21c07100 a2=7ffc21c07100 a3=2329350 items=0 ppid=2574 pid=2576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
[root@storageqe-07 ~]# cat mypol.te
module mypol 1.0;
require {
type lsmd_plugin_t;
type device_t;
class chr_file { read create open ioctl getattr };
}
#============= lsmd_plugin_t ==============
allow lsmd_plugin_t device_t:chr_file { read create open ioctl getattr };
Is this a default plugin? storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t) will fix it. We probably want to think to make lsmd_plugin_t as untrusted - unconfined_domain. I'm going to add rule storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t) to the policy. If I find more troubles around this plugins, I'll make this domain unconfined. This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions (In reply to Miroslav Grepl from comment #6) > Is this a default plugin? > > storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t) > > will fix it. We probably want to think to make lsmd_plugin_t as untrusted - > unconfined_domain. There is no default plugin for libstoragemgmt. But since we ship this plugin along with others, maybe we should make sure SELinux does not stop user from using this plugin. (In reply to Gris Ge from comment #10) > (In reply to Miroslav Grepl from comment #6) > > Is this a default plugin? > > > > storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t) > > > > will fix it. We probably want to think to make lsmd_plugin_t as untrusted - > > unconfined_domain. > > There is no default plugin for libstoragemgmt. > But since we ship this plugin along with others, maybe we should make sure > SELinux does not stop user from using this plugin. Do we have more SELinux problems with libstoragemgmt plugins? We need to find balance between security/usability, so make libstoragemgmt as unconfined domain is last step here. libstoragemgmt plugins: * libstoragemgmt-hpsa-plugin Invoke 'hpssacli' HP binary tool with root privilege. check bug #1238079 for detail. * libstoragemgmt-megaraid-plugin Invoke 'storcli' or 'perccli' from LSI/Dell binary tool with root privilege. Current bug. * libstoragemgmt-netapp-plugin Run as non-privilege user -- libstoragemgmt, access http/https service of NetApp array. * libstoragemgmt-nstor-plugin Run as non-privilege user -- libstoragemgmt, access 2000 or 8457 port of Nexenta array. * libstoragemgmt-smis-plugin Run as non-privilege user -- libstoragemgmt, access 5988 or 5989 port of SMI-S provider. * libstoragemgmt-targetd-plugin Run as non-privilege user -- libstoragemgmt, access 18700 port of remote targetd daemon. * Build in plugin -- simc and sim, packaged in libstoragemgmt and libstoragemgmt-python Run as non-privilege user -- libstoragemgmt, read and write local file /tmp//lsm_sim_data. We might have more SELinux issue as libstoragemgmt library might invoke SG_IO ioctl against /dev/sdX. Will report new bug and update here if found. Besides that, I believe we are all good now on SELinux issue if this bug is fixed. Functional testing confirmed fix in the version selinux-policy-3.13.1-94.el7.noarch Sanity check passing too. :: [ INFO ] :: selinux-policy-3.13.1-97.el7.noarch :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz#1238066 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Result of matchpathcon /dev/megaraid_sas_ioctl_node should contain fixed_disk_device_t (Assert: expected 0, got 0) :: [ INFO ] :: checking rule 'type_transition lsmd_plugin_t device_t : chr_file fixed_disk_device_t megaraid_sas_ioctl_node' :: [ PASS ] :: check permission 'fixed_disk_device_t' is present (Assert: '0' should equal '0') :: [ INFO ] :: checking rule 'allow lsmd_plugin_t ldconfig_exec_t:file { execute_no_trans getattr }' :: [ PASS ] :: check permission 'execute_no_trans' is present (Assert: '0' should equal '0') :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ INFO ] :: checking rule 'allow lsmd_plugin_t fixed_disk_device_t:chr_file create' :: [ PASS ] :: check permission 'create' is present (Assert: '0' should equal '0') :: [ LOG ] :: Duration: 1s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: bz#1238066 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |