Bug 1255020
Summary: | watchdog.d and python script | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marek Grac <mgrac> | ||||||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||||
Severity: | unspecified | Docs Contact: | |||||||||
Priority: | unspecified | ||||||||||
Version: | 7.1 | CC: | lvrabec, mgrac, mgrepl, mmalik, plautrba, pvrabec, ssekidde | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | selinux-policy-3.13.1-50.el7 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | |||||||||||
: | 1293384 (view as bug list) | Environment: | |||||||||
Last Closed: | 2015-11-19 10:43:55 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 1293384, 1607798 | ||||||||||
Attachments: |
|
Description
Marek Grac
2015-08-19 12:48:20 UTC
Created attachment 1064823 [details]
SELinux module
Created attachment 1064824 [details]
symlink.te
Operation that have to be allowed are in attachment. Well AVCs would be much better. I believe it should be running under watchdog script domain. If you just add allow watchdog_t watchdog_unconfined_exec_t:lnk_file read; how does it look? allow watchdog_t watchdog_unconfined_exec_t:lnk_file read; ends with rebooted machine and there are no AVC there - very likely because of reboot. Created attachment 1064898 [details]
AVC
obtained AVCs
Ok so the point is we have fence_scsi_check.pl symlink which points to /usr/share/cluster/fence_scsi_check.pl which is labeled as bin_t and all accesses are now needed for watchdog_t. Do we need it for 7.2? yes, 7.2 will be great. It is possible that we will request also 7.1.z but it will depends on how much GSS like workaround with semanage. Marek, what does rpm -qf /usr/share/cluster/fence_scsi_check.pl ? Is this script also used by other apps? The point is we could just change labeling from bin_t to watchdog_unconfined_exec_t and it would work. If it is not possible, we could talk about a new boolean to have rules coming from random scripts under watchdog_t. Mirek, Hi Marek! Could you reproduce it with this local policy? At First use: # chcon -t fenced_exec_t /usr/share/cluster/fence_scsi_check.pl # cat mymodule.te policy_module(mymodule 1.0); require { type watchdog_unconfined_exec_t; type watchdog_t; type fenced_t; } #============= watchdog_t ============== allow watchdog_t watchdog_unconfined_exec_t:lnk_file read; allow fenced_t watchdog_unconfined_exec_t:lnk_file read; corecmd_exec_bin(fenced_t) corecmd_exec_bin(watchdog_t) optional_policy(` libs_exec_ldconfig(fenced_t) ') optional_policy(` rhcs_domtrans_fenced(watchdog_t) ') # make -f /usr/share/selinux/devel/Makefile mymodule.pp # semodule -i mymodule.pp I tried it with both options (cp and ln) and I'm without AVCs. (In reply to Miroslav Grepl from comment #10) > Marek, > what does > > rpm -qf /usr/share/cluster/fence_scsi_check.pl > > ? fence-agents-common-4.0.11-23.el7.x86_64 fence-agents-scsi-4.0.11-23.el7.x86_64 > Is this script also used by other apps? The point is we could just change > labeling from bin_t to watchdog_unconfined_exec_t and it would work. No, it makes minimal sense to use this script in other application as it is written directly as watchdog script. There will be at least one other script that will be in 7.3 (already in 6.7) which will be used in similar way. But there should not be dozens of them. > If it is not possible, we could talk about a new boolean to have rules > coming from random scripts under watchdog_t. @Lukas: policy is working for me. commit 4ae305b3e8945dccbdb510127ee1fbb6bf05292e Author: Lukas Vrabec <lvrabec> Date: Thu Aug 27 16:50:16 2015 +0200 Allow watchdog execute fenced python script. Resolves: #1255020 commit 1cd2c2f5b47b90666c97e97d97a7c9e6fc02c4cf Author: Lukas Vrabec <lvrabec> Date: Thu Aug 27 16:46:24 2015 +0200 Added inferface watchdog_unconfined_exec_read_lnk_files() Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |