Bug 1247522
Summary: | [SELinux]: seeing avc denied for comm=mailx in rhel7.1 | |||
---|---|---|---|---|
Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Apeksha <akhakhar> | |
Component: | nfs-ganesha | Assignee: | Kaleb KEITHLEY <kkeithle> | |
Status: | CLOSED WONTFIX | QA Contact: | Manisha Saini <msaini> | |
Severity: | urgent | Docs Contact: | ||
Priority: | unspecified | |||
Version: | rhgs-3.1 | CC: | atumball, kkeithle, mmalik, ndevos, pprakash, rhs-bugs, sankarshan, skoduri, storage-qa-internal | |
Target Milestone: | --- | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1309317 (view as bug list) | Environment: | ||
Last Closed: | 2018-04-16 17:59:38 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1309317, 1312009 |
Description
Apeksha
2015-07-28 08:45:32 UTC
I guess we know the cause of the issue - During nfs-ganesha setup/teardown, AVC reported -- type=SYSCALL msg=audit(07/28/2015 08:35:30.716:5169) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x20e10f0 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x7ffd11cae1e0 items=0 ppid=6737 pid=6738 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mailx exe=/usr/bin/mailx subj=system_u:system_r:sendmail_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/28/2015 08:35:30.716:5169) : avc: denied { write } for pid=6738 comm=mailx name=Python-2015-07-28-02:34:54-15814 dev="dm-1" ino=2264 scontext=system_u:system_r:sendmail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir in '/var/log/messages', Jul 28 08:35:30 dhcp37-44 systemd: SELinux policy denies access. Jul 28 08:35:30 dhcp37-44 python: detected unhandled Python exception in '/usr/sbin/pcs' Jul 28 08:35:30 dhcp37-44 abrt-server: Duplicate: core backtrace Jul 28 08:35:30 dhcp37-44 abrt-server: DUP_OF_DIR: /var/spool/abrt/Python-2015-07-28-02:34:54-15814 Jul 28 08:35:30 dhcp37-44 abrt-server: Deleting problem directory Python-2015-07-28-08:35:30-6708 (dup of Python-2015-07-28-02:34:54-15814) Jul 28 08:35:30 dhcp37-44 abrt-server: Email address of sender was not specified. Would you like to do so now? If not, 'user@localhost' is to be used [y/N] Jul 28 08:35:30 dhcp37-44 abrt-server: Email address of receiver was not specified. Would you like to do so now? If not, 'root@localhost' is to be used [y/N] Jul 28 08:35:30 dhcp37-44 abrt-server: Sending an email... Jul 28 08:35:30 dhcp37-44 abrt-server: /usr/sbin/sendmail: No such file or directory Jul 28 08:35:30 dhcp37-44 abrt-server: . . . message not sent. Jul 28 08:35:30 dhcp37-44 abrt-server: Error running '/bin/mailx' [root@nfs3 ganesha]# cat /var/spool/abrt/Python-2015-07-28-02:34:54-15814/backtrace utils.py:2135:serviceStatus:IndexError: list index out of range Traceback (most recent call last): File "/usr/sbin/pcs", line 153, in <module> main(sys.argv[1:]) File "/usr/sbin/pcs", line 145, in main status.status_cmd(argv) File "/usr/lib/python2.7/site-packages/pcs/status.py", line 13, in status_cmd full_status() File "/usr/lib/python2.7/site-packages/pcs/status.py", line 63, in full_status utils.serviceStatus(" ") File "/usr/lib/python2.7/site-packages/pcs/utils.py", line 2135, in serviceStatus print prefix + daemons[i] + ": " + status[i] + "/" + enabled[i] IndexError: list index out of range Local variables in innermost frame: status: ['active', 'active', 'active', ''] i: 2 enabled: ['Failed to issue method call: Access denied', ''] ret: 1 prefix: ' ' daemons: ['corosync', 'pacemaker', 'pcsd'] out: 'Failed to issue In '/usr/lib/python2.7/site-packages/pcs/utils.py', def serviceStatus(prefix): if is_systemctl(): print "Daemon Status:" daemons = ["corosync", "pacemaker", "pcsd"] out, ret = run(["systemctl", "is-active"] + daemons) status = out.split("\n") out, ret = run(["systemctl", "is-enabled"]+ daemons) enabled = out.split("\n") for i in range(len(daemons)): print prefix + daemons[i] + ": " + status[i] + "/" + enabled[i] 'ganesha-ha.script' runs 'pcs status' during setup/teardown of cluster, which in turn is using a python module to check the status of 'corosync', 'pacemaker' and 'pcsd' services. And looks like selinux policy on 'glusterd' service which invokes this script is blocking one of those systemd commands. And since variables 'enabled' is not populated, accessing that variable resulted in a exception. While trying to send a mail about this crash, 'abrt-server' received a SELinux denial to access 'mailx' service. That means there are two denials by selinux seen here. Can someone explain why "Jul 28 08:35:30 dhcp37-44 systemd: SELinux policy denies access." hasn't reported any AVCs, whereas invoking 'mailx' has? Also note that there are no functionality issues seen with these denials yet though reporting crash in messages may seem not right. Following message usually means that an USER_AVC appeared: systemd: SELinux policy denies access Could you attach AVCs and USER_AVCs too? # ausearch -m avc -m user_avc -i -ts today type=USER_AVC msg=audit(07/29/2015 01:38:34.355:13684) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=root path=system scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=SYSCALL msg=audit(07/29/2015 01:38:34.733:13685) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x25f80f0 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x7ffcaff02460 items=0 ppid=11798 pid=11799 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mailx exe=/usr/bin/mailx subj=system_u:system_r:sendmail_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/29/2015 01:38:34.733:13685) : avc: denied { write } for pid=11799 comm=mailx name=Python-2015-07-28-02:34:54-15814 dev="dm-1" ino=2264 scontext=system_u:system_r:sendmail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir i hit the same crash on my stup while setting up nfs-ganesha cluster. Note that i have done multiple times setup/teardown of nfs-ganesha cluster on this setup [root@dhcp46-59 ~]# cat /var/spool/abrt/Python-2016-02-08-15\:33\:55-28283/backtrace utils.py:1962:serviceStatus:IndexError: list index out of range Traceback (most recent call last): File "/usr/sbin/pcs", line 219, in <module> main(sys.argv[1:]) File "/usr/sbin/pcs", line 159, in main cmd_map[command](argv) File "/usr/lib/python2.7/site-packages/pcs/status.py", line 16, in status_cmd full_status() File "/usr/lib/python2.7/site-packages/pcs/status.py", line 64, in full_status utils.serviceStatus(" ") File "/usr/lib/python2.7/site-packages/pcs/utils.py", line 1962, in serviceStatus print prefix + daemons[i] + ": " + status[i] + "/" + enabled[i] IndexError: list index out of range Local variables in innermost frame: status: ['active', 'active', 'active', ''] i: 2 enabled: ['Failed to get unit file state for corosync.service: Access denied', ''] ret: 1 prefix: ' ' daemons: ['corosync', 'pacemaker', 'pcsd'] out: 'Failed to get unit file state for corosync.service: Access denied\n' After disabling selinux , setup worked. avc error: type=AVC msg=audit(1455729058.666:101139): avc: denied { write } for pid=27026 comm="mailx" name="Python-2016-02-08-15:33:55-28283" dev="dm-0" ino=35040612 scontext=system_u:system_r:sendmail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir |