Bug 1238079
| Summary: | libStorageMgmt: SELinux is preventing HP SmartArray plugin | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Gris Ge <fge> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 7.2 | CC: | bgoncalv, fge, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, tasleson | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-50.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-11-19 10:38:34 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Gris Ge
2015-07-01 07:19:23 UTC
Could you attach AVC messages? Created attachment 1052690 [details]
LibStorageMgmt hpsa plugin selinux AVC logs.
Since we have 12 AVC reports, I create a tarball.
Let me know if you prefer copy&paste way.
Lukas, could you check these AVCs and see if we can add fixes to 7.2? Yes, we can Add this rules to 7.2 HI,
There is one rule:
allow lsmd_plugin_t fixed_disk_device_t:blk_file { read write open };
fixed_disk_device_t is labeled on this files:
$ sudo semanage fcontext -l | grep fixed_disk_device_t
/dev/(raw/)?rawctl character device system_u:object_r:fixed_disk_device_t:s0
/dev/[shmxv]d[^/]* block device system_u:object_r:fixed_disk_device_t:s0
/dev/\.tmp-block-.* character device system_u:object_r:fixed_disk_device_t:s0
/dev/ataraid/.* block device system_u:object_r:fixed_disk_device_t:s0
/dev/bcache[0-9]+ block device system_u:object_r:fixed_disk_device_t:s0
/dev/cciss/[^/]* block device system_u:object_r:fixed_disk_device_t:s0
/dev/dasd[^/]* block device system_u:object_r:fixed_disk_device_t:s0
/dev/dasd[^/]* character device system_u:object_r:fixed_disk_device_t:s0
/dev/device-mapper character device system_u:object_r:fixed_disk_device_t:s0
/dev/dm-[0-9]+ block device system_u:object_r:fixed_disk_device_t:s0
/dev/drbd[^/]* block device system_u:object_r:fixed_disk_device_t:s0
/dev/etherd/.+ block device system_u:object_r:fixed_disk_device_t:s0
/dev/flash[^/]* block device system_u:object_r:fixed_disk_device_t:s0
/dev/i2o/hd[^/]* block device system_u:object_r:fixed_disk_device_t:s0
/dev/ida/[^/]* block device system_u:object_r:fixed_disk_device_t:s0
/dev/initrd block device system_u:object_r:fixed_disk_device_t:s0
/dev/jsfd block device system_u:object_r:fixed_disk_device_t:s0
/dev/jsflash character device system_u:object_r:fixed_disk_device_t:s0
/dev/loop.* block device system_u:object_r:fixed_disk_device_t:s0
/dev/lvm character device system_u:object_r:fixed_disk_device_t:s0
/dev/mapper/.* block device system_u:object_r:fixed_disk_device_t:s0
/dev/md/.* block device system_u:object_r:fixed_disk_device_t:s0
/dev/megadev.* character device system_u:object_r:fixed_disk_device_t:s0
/dev/megaraid_sas_ioctl_node character device system_u:object_r:fixed_disk_device_t:s0
/dev/mtd.* block device system_u:object_r:fixed_disk_device_t:s0
/dev/nb[^/]+ block device system_u:object_r:fixed_disk_device_t:s0
/dev/ps3d.* block device system_u:object_r:fixed_disk_device_t:s0
/dev/ram.* block device system_u:object_r:fixed_disk_device_t:s0
/dev/raw/raw[0-9]+ character device system_u:object_r:fixed_disk_device_t:s0
/dev/rd.* block device system_u:object_r:fixed_disk_device_t:s0
/dev/root block device system_u:object_r:fixed_disk_device_t:s0
/dev/scramdisk/.* block device system_u:object_r:fixed_disk_device_t:s0
/dev/tw[a-z][^/]* character device system_u:object_r:fixed_disk_device_t:s0
/dev/ubd[^/]* block device system_u:object_r:fixed_disk_device_t:s0
/dev/vd[^/]* block device system_u:object_r:fixed_disk_device_t:s0
/dev/xvd[^/]* block device system_u:object_r:fixed_disk_device_t:s0
/lib/udev/devices/loop.* block device system_u:object_r:fixed_disk_device_t:s0
/usr/lib/udev/devices/loop.* block device system_u:object_r:fixed_disk_device_t:s0
Is really necessary to write to this devices?
commit abac06ff2d2c21a6a92dbf60e1c2e19ed2cf796d
Author: Lukas Vrabec <lvrabec>
Date: Wed Aug 5 12:27:18 2015 +0200
Allow lsm_plugin_t to rw raw_fixed_disk.
Resolves:#1238079
commit cba244bf08396e23ec7e56c8c63f7654cf77c20b
Author: Lukas Vrabec <lvrabec>
Date: Wed Aug 5 11:13:56 2015 +0200
Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device
Resolves: #1238079
Hi Lukas,
Base on the code of HP opensource tool(cciss_vol_status, not the binary tool
hpssacli we use here), they need the write access to /dev/sgX (char device)
and /dev/sdX(block device) in order to generate the query IOCTL.
The manpage of 'hpsa(4)' mentioned this:
============
Supported ioctl() operations
CCISS_PASSTHRU, CCISS_BIG_PASSTHRU
Allows "BMIC" and "CISS" commands to be passed through to the Smart Array.
These are used extensively by the HP Array Configuration Utility, SNMP
storage agents, etc. See cciss_vol_status at ⟨http://cciss.sf.net⟩ for
some examples.
============
Hi Lukas, In stead of giving lsmd_plugin_t (all lsm plugin) for this wide permission, is there anyway to limit this permission only for: /usr/lib/python2.7/site-packages/lsm/plugin/hpsa/hpsa.py ? Thank you. (In reply to Gris Ge from comment #9) > Hi Lukas, > > In stead of giving lsmd_plugin_t (all lsm plugin) for this wide > permission, is there anyway to limit this permission only for: > /usr/lib/python2.7/site-packages/lsm/plugin/hpsa/hpsa.py > ? > > Thank you. Yes, but I don't see as a big security advantage. Basically we treat all these plugins under lsmd_plugin_t. So I am fine with fixes in -39.el7. Hi Milos Malik,
Still got warnnings on selinux-policy-targeted-3.13.1-47.el7.noarch.
But 'sealert' failed(exist bug?) to provide detail information:
====
[root@hp-dl360pgen8-08 ~]# grep 'sealert -l ' /var/log/messages |perl -ne 'print "$1\n" if /(sealert -l.+)$/'|sort -u
sealert -l 8666433b-b792-4f7e-a40a-10c53fb01940
sealert -l e44c22f1-19c6-45fd-a6f6-f7b166525ab1
[root@hp-dl360pgen8-08 ~]# sealert -l 8666433b-b792-4f7e-a40a-10c53fb01940
failed to connect to server: No such file or directory
[root@hp-dl360pgen8-08 ~]# sealert -l e44c22f1-19c6-45fd-a6f6-f7b166525ab1
failed to connect to server: No such file or directory
====
/var/log/audit/audit.log contains.
====
type=AVC msg=audit(1442214534.788:6114): avc: denied { sys_admin } for pid=21374 comm="hpssacli" capability=21 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:system_r:lsmd_plugin_t:s0 tclass=capability
type=SYSCALL msg=audit(1442214534.788:6114): arch=c000003e syscall=2 success=yes exit=5 a0=7f5728047708 a1=2 a2=7f57309f23f8 a3=3 items=0 ppid=21351 pid=21374 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hpssacli" exe="/opt/hp/hpssacli/bld/hpssacli" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1442214641.159:6116): avc: denied { getattr } for pid=21704 comm="hpssacli" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1442214641.159:6116): arch=c000003e syscall=137 success=yes exit=0 a0=7f3538013a48 a1=7f353fb1bd30 a2=fffffffffff473b8 a3=7f353fb1bb60 items=0 ppid=21702 pid=21704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hpssacli" exe="/opt/hp/hpssacli/bld/hpssacli" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
====
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |