Bug 1247114
Summary: | SELinux is preventing /usr/bin/lsmd from using the setuid capability | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Bruno Goncalves <bgoncalv> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.2 | CC: | bgoncalv, fge, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-39.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 10:42:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bruno Goncalves
2015-07-27 11:30:25 UTC
It works well with selinux-policy-3.13.1-33.el7.noarch # getenforce Enforcing # service libstoragemgmt status Redirecting to /bin/systemctl status libstoragemgmt.service ● libstoragemgmt.service - libstoragemgmt plug-in server daemon Loaded: loaded (/usr/lib/systemd/system/libstoragemgmt.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2015-07-27 07:32:41 EDT; 4s ago Main PID: 5043 (lsmd) CGroup: /system.slice/libstoragemgmt.service └─5043 /usr/bin/lsmd -d Jul 27 07:32:41 lenovo-rd230-03.lab.bos.redhat.com systemd[1]: Started libstoragemgmt plug-in server daemon. Jul 27 07:32:41 lenovo-rd230-03.lab.bos.redhat.com systemd[1]: Starting libstoragemgmt plug-in server daemon... You can find following lines in /usr/lib/systemd/system/libstoragemgmt.service: [Service] ExecStart=/usr/bin/lsmd -d ExecReload=/bin/kill -HUP $MAINPID StandardError=syslog User=root I changed "User=root" to "User=libstoragemgmt" and the AVC stopped appearing. # rpm -q --scripts libstoragemgmt | grep -C2 useradd getent group libstoragemgmt >/dev/null || groupadd -r libstoragemgmt getent passwd libstoragemgmt >/dev/null || \ useradd -r -g libstoragemgmt -d /var/run/lsm -s /sbin/nologin \ -c "daemon account for libstoragemgmt" libstoragemgmt postinstall scriptlet (using /bin/sh): # The lsmd process starts successfully via systemctl and it runs as: # ps -efZ | grep lsmd system_u:system_r:lsmd_t:s0 libstor+ 27766 1 0 14:18 ? 00:00:00 /usr/bin/lsmd -d unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 28093 4462 0 14:24 pts/0 00:00:00 grep --color=auto lsmd # There seems to be a dedicated user/group for running the daemon. Gris, Could you check what is the right user to run lsmd? Hi Milos Malik, The lsmd is running as root by default[1], unless plugin require root privilege[2], the plugin will run in libstoragemgmt/libstoragemgmt user/group. So, please allow lsmd running as root in order to support libstoragemgmt-plugin-hpsa and libstoragemgmt-plugin-megaraid. Let me know if you need more detail. [1] The 'lsmd.conf' is controlling it. Check manpage lsmd.conf(5) for detail. [2] libstoragemgmt-plugin-hpsa and libstoragemgmt-plugin-megaraid require root privilege to run local command as root user. They will indicate that in their plugin configuration file. Other plugins will still running as unprivileged user. Removing 'Regression' tag as this is caused by an expected change in libstoragemgmt 1.2(rebase in RHEL 7.2): Since libstoragemgmt version 1.2, we need root privileged to support hardware RAID support: libstoragemgmt-plugin-hpsa and libstoragemgmt-plugin-megaraid We still run other plugins as unprivileged user. User could force lsmd and all plugins to run as unprivileged user via /etc/lsm/lsmd.conf, please check manpage lsmd.conf(5) for detail. commit fd65f7ea8eda195598e555819dc4e931ed6420c1 Author: Miroslav Grepl <mgrepl> Date: Fri Aug 7 12:00:59 2015 +0200 Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |