Bug 1247114
| Summary: | SELinux is preventing /usr/bin/lsmd from using the setuid capability | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Bruno Goncalves <bgoncalv> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.2 | CC: | bgoncalv, fge, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-39.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 10:42:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
It works well with selinux-policy-3.13.1-33.el7.noarch
# getenforce
Enforcing
# service libstoragemgmt status
Redirecting to /bin/systemctl status libstoragemgmt.service
● libstoragemgmt.service - libstoragemgmt plug-in server daemon
Loaded: loaded (/usr/lib/systemd/system/libstoragemgmt.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2015-07-27 07:32:41 EDT; 4s ago
Main PID: 5043 (lsmd)
CGroup: /system.slice/libstoragemgmt.service
└─5043 /usr/bin/lsmd -d
Jul 27 07:32:41 lenovo-rd230-03.lab.bos.redhat.com systemd[1]: Started libstoragemgmt plug-in server daemon.
Jul 27 07:32:41 lenovo-rd230-03.lab.bos.redhat.com systemd[1]: Starting libstoragemgmt plug-in server daemon...
You can find following lines in /usr/lib/systemd/system/libstoragemgmt.service:
[Service]
ExecStart=/usr/bin/lsmd -d
ExecReload=/bin/kill -HUP $MAINPID
StandardError=syslog
User=root
I changed "User=root" to "User=libstoragemgmt" and the AVC stopped appearing.
# rpm -q --scripts libstoragemgmt | grep -C2 useradd
getent group libstoragemgmt >/dev/null || groupadd -r libstoragemgmt
getent passwd libstoragemgmt >/dev/null || \
useradd -r -g libstoragemgmt -d /var/run/lsm -s /sbin/nologin \
-c "daemon account for libstoragemgmt" libstoragemgmt
postinstall scriptlet (using /bin/sh):
#
The lsmd process starts successfully via systemctl and it runs as:
# ps -efZ | grep lsmd
system_u:system_r:lsmd_t:s0 libstor+ 27766 1 0 14:18 ? 00:00:00 /usr/bin/lsmd -d
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 28093 4462 0 14:24 pts/0 00:00:00 grep --color=auto lsmd
#
There seems to be a dedicated user/group for running the daemon.
Gris, Could you check what is the right user to run lsmd? Hi Milos Malik,
The lsmd is running as root by default[1], unless plugin require root
privilege[2], the plugin will run in libstoragemgmt/libstoragemgmt
user/group.
So, please allow lsmd running as root in order to support
libstoragemgmt-plugin-hpsa and libstoragemgmt-plugin-megaraid.
Let me know if you need more detail.
[1] The 'lsmd.conf' is controlling it. Check manpage lsmd.conf(5) for detail.
[2] libstoragemgmt-plugin-hpsa and libstoragemgmt-plugin-megaraid require root
privilege to run local command as root user. They will indicate that
in their plugin configuration file. Other plugins will still running as
unprivileged user.
Removing 'Regression' tag as this is caused by an expected change
in libstoragemgmt 1.2(rebase in RHEL 7.2):
Since libstoragemgmt version 1.2, we need root privileged to support
hardware RAID support:
libstoragemgmt-plugin-hpsa and libstoragemgmt-plugin-megaraid
We still run other plugins as unprivileged user.
User could force lsmd and all plugins to run as unprivileged user
via /etc/lsm/lsmd.conf, please check manpage lsmd.conf(5) for detail.
commit fd65f7ea8eda195598e555819dc4e931ed6420c1
Author: Miroslav Grepl <mgrepl>
Date: Fri Aug 7 12:00:59 2015 +0200
Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Description of problem: SElinux is preventing libstoragemgmt service (lsmd) to start. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-34.el7.noarch libstoragemgmt-1.2.3-3.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1.# service libstoragemgmt start Redirecting to /bin/systemctl start libstoragemgmt.service 2.# service libstoragemgmt status Redirecting to /bin/systemctl status libstoragemgmt.service ● libstoragemgmt.service - libstoragemgmt plug-in server daemon Loaded: loaded (/usr/lib/systemd/system/libstoragemgmt.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2015-07-27 07:26:43 EDT; 18s ago Process: 4298 ExecStart=/usr/bin/lsmd -d (code=exited, status=1/FAILURE) Main PID: 4298 (code=exited, status=1/FAILURE) Jul 27 07:26:43 lenovo-rd230-03.lab.bos.redhat.com systemd[1]: Started libstoragemgmt plug-in server daemon. Jul 27 07:26:43 lenovo-rd230-03.lab.bos.redhat.com systemd[1]: Starting libstoragemgmt plug-in server daemon... Jul 27 07:26:43 lenovo-rd230-03.lab.bos.redhat.com lsmd[4298]: Unexpected error on setuid(errno 1) Jul 27 07:26:43 lenovo-rd230-03.lab.bos.redhat.com systemd[1]: libstoragemgmt.service: main process exited, code=exited, status=1/FAILURE Jul 27 07:26:43 lenovo-rd230-03.lab.bos.redhat.com systemd[1]: Unit libstoragemgmt.service entered failed state. Jul 27 07:26:43 lenovo-rd230-03.lab.bos.redhat.com systemd[1]: libstoragemgmt.service failed. Actual results: # grep lsmd /var/log/audit/audit.log type=AVC msg=audit(1437996046.691:83): avc: denied { setuid } for pid=1751 comm="lsmd" capability=7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=capability type=SYSCALL msg=audit(1437996046.691:83): arch=c000003e syscall=105 success=no exit=-1 a0=3e1 a1=7f3e8a4c6274 a2=0 a3=7ffd64cd9690 items=0 ppid=1 pid=1751 auid=4294967295 uid=0 gid=991 euid=0 suid=0 fsuid=0 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null)