Bug 1255020

Summary: watchdog.d and python script
Product: Red Hat Enterprise Linux 7 Reporter: Marek Grac <mgrac>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: lvrabec, mgrac, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-50.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1293384 (view as bug list) Environment:
Last Closed: 2015-11-19 10:43:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1293384, 1607798    
Attachments:
Description Flags
SELinux module
none
symlink.te
none
AVC none

Description Marek Grac 2015-08-19 12:48:20 UTC
fence_scsi_check.pl (.pl for historical reasons, it is python in 7.1) should be symlinked/copied to /etc/watchdog.d/. If binary is copied there it works as expected but python script is not working.

Steps to reproduce:

1. yum install watchdog fence-agents-scsi
2. ln -s /usr/share/cluster/fence_scsi_check.pl /etc/watchdog.d
or 'cp' instead of 'ln -s'
3. systemctl start watchdog

machine should be not be rebooted immediately.

Comment 1 Marek Grac 2015-08-19 12:49:32 UTC
Created attachment 1064823 [details]
SELinux module

Comment 2 Marek Grac 2015-08-19 12:49:56 UTC
Created attachment 1064824 [details]
symlink.te

Comment 3 Marek Grac 2015-08-19 12:50:57 UTC
Operation that have to be allowed are in attachment.

Comment 5 Miroslav Grepl 2015-08-19 13:02:19 UTC
Well AVCs would be much better. I believe it should be running under watchdog script domain.

If you just add

allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;

how does it look?

Comment 6 Marek Grac 2015-08-19 14:32:18 UTC
allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;

ends with rebooted machine and there are no AVC there - very likely because of reboot.

Comment 7 Marek Grac 2015-08-19 14:32:44 UTC
Created attachment 1064898 [details]
AVC

obtained AVCs

Comment 8 Miroslav Grepl 2015-08-21 07:56:11 UTC
Ok so the point is we have fence_scsi_check.pl symlink which points to /usr/share/cluster/fence_scsi_check.pl which is labeled as bin_t and all accesses are now needed for watchdog_t.

Do we need it for 7.2?

Comment 9 Marek Grac 2015-08-21 12:03:02 UTC
yes, 7.2 will be great. 

It is possible that we will request also 7.1.z but it will depends on how much GSS like workaround with semanage.

Comment 10 Miroslav Grepl 2015-08-24 16:05:07 UTC
Marek,
what does

rpm -qf /usr/share/cluster/fence_scsi_check.pl

? 

Is this script also used by other apps? The point is we could just change labeling from bin_t to watchdog_unconfined_exec_t and it would work. 

If it is not possible, we could talk about a new boolean to have rules coming from random scripts under watchdog_t.

Comment 11 Lukas Vrabec 2015-08-24 23:55:29 UTC
Mirek,




Hi Marek!

Could you reproduce it with this local policy? 

At First use:
# chcon -t fenced_exec_t /usr/share/cluster/fence_scsi_check.pl

# cat mymodule.te 
policy_module(mymodule 1.0);

require {
	type watchdog_unconfined_exec_t;
	type watchdog_t;
	type fenced_t;
}

#============= watchdog_t ==============
allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;
allow fenced_t watchdog_unconfined_exec_t:lnk_file read;

corecmd_exec_bin(fenced_t)
corecmd_exec_bin(watchdog_t)

optional_policy(`
	libs_exec_ldconfig(fenced_t)
')

optional_policy(`
	rhcs_domtrans_fenced(watchdog_t)
')

# make -f /usr/share/selinux/devel/Makefile mymodule.pp
# semodule -i mymodule.pp

I tried it with both options (cp and ln) and I'm without AVCs.

Comment 13 Marek Grac 2015-08-26 16:27:46 UTC
(In reply to Miroslav Grepl from comment #10)
> Marek,
> what does
> 
> rpm -qf /usr/share/cluster/fence_scsi_check.pl
> 
> ? 

fence-agents-common-4.0.11-23.el7.x86_64
fence-agents-scsi-4.0.11-23.el7.x86_64

> Is this script also used by other apps? The point is we could just change
> labeling from bin_t to watchdog_unconfined_exec_t and it would work. 

No, it makes minimal sense to use this script in other application as it is written directly as watchdog script. There will be at least one other script that will be in 7.3 (already in 6.7) which will be used in similar way. But there should not be dozens of them.


> If it is not possible, we could talk about a new boolean to have rules
> coming from random scripts under watchdog_t.

Comment 14 Marek Grac 2015-08-26 16:31:42 UTC
@Lukas:

policy is working for me.

Comment 18 Lukas Vrabec 2015-08-27 15:00:00 UTC
commit 4ae305b3e8945dccbdb510127ee1fbb6bf05292e
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Aug 27 16:50:16 2015 +0200

    Allow watchdog execute fenced python script.
    Resolves: #1255020

commit 1cd2c2f5b47b90666c97e97d97a7c9e6fc02c4cf
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Aug 27 16:46:24 2015 +0200

    Added inferface watchdog_unconfined_exec_read_lnk_files()

Comment 28 errata-xmlrpc 2015-11-19 10:43:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html