Bug 1260682

Summary: avc running pacemaker tests (iptables, xtables)
Product: Red Hat Enterprise Linux 7 Reporter: michal novacek <mnovacek>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, todoleza
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-10 15:17:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description michal novacek 2015-09-07 12:48:38 UTC 
Description of problem:
This probably has nothing to do with cluster but happens with our regular
cluster testing suites. 

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-47.el7.noarch

How reproducible: always

Actual results:
[root@virt-063 ~]# grep /run/xtables.lock /var/log/audit/audit.log
----> using /usr/tests/resource-STSRHTS28437.xml
type=AVC msg=audit(1441622449.862:782): avc:  denied  { open } for  pid=1591 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1441622449.862:783): avc:  denied  { lock } for  pid=1591 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1441622492.315:807): avc:  denied  { open } for  pid=1836 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1441622492.315:808): avc:  denied  { lock } for  pid=1836 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1441622550.980:845): avc:  denied  { open } for  pid=2063 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1441622550.980:846): avc:  denied  { lock } for  pid=2063 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
---

Expected results: no avc (rules added to default policy)

Additional info:

I'm running all iptables commands with '-w' which is probably the reason for the denials.

Creating allow rule from these denials solves the problem.

[root@virt-063 ~]# grep /run/xtables.lock | audit2allow -a
#============= iptables_t ==============
allow iptables_t var_run_t:file { read lock open };

[root@virt-063 ~]# grep /run/xtables.lock | audit2allow -a -M xtables
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i xtables.pp

[root@virt-063 ~]# semodule -i xtables.pp
Comment 2 Milos Malik 2015-09-07 13:17:47 UTC 
The xtables.lock file is mislabeled. We need to find out, which process created it. restorecon -v /run/xtables.lock is able to correct the label.
Comment 3 Milos Malik 2015-09-07 13:43:23 UTC 
Here is the reproducer:

# service NetworkManager stop
Redirecting to /bin/systemctl stop  NetworkManager.service
# service firewalld stop
Redirecting to /bin/systemctl stop  firewalld.service
# rm -f /run/xtables.lock 
# service iptables start
Redirecting to /bin/systemctl start  iptables.service
# ls -Z /run/xtables.lock 
ls: cannot access /run/xtables.lock: No such file or directory
# service ip6tables start
Redirecting to /bin/systemctl start  ip6tables.service
# ls -Z /run/xtables.lock 
ls: cannot access /run/xtables.lock: No such file or directory
# service firewalld start
Redirecting to /bin/systemctl start  firewalld.service
# ls -Z /run/xtables.lock 
-rw-------. root root system_u:object_r:var_run_t:s0   /run/xtables.lock
# 

A special policy module, which contains an auditallow rule, revealed which process created the xtables.lock file:
----
type=PATH msg=audit(09/07/2015 15:26:51.078:3156) : item=1 name=/run/xtables.lock inode=417551 dev=00:12 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(09/07/2015 15:26:51.078:3156) : item=0 name=/run/ inode=6608 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(09/07/2015 15:26:51.078:3156) :  cwd=/ 
type=SYSCALL msg=audit(09/07/2015 15:26:51.078:3156) : arch=x86_64 syscall=open success=yes exit=3 a0=0x4129fb a1=O_RDONLY|O_CREAT a2=0600 a3=0x7ffd7eccf3c0 items=2 ppid=10827 pid=10849 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip6tables exe=/usr/sbin/xtables-multi subj=system_u:system_r:unconfined_service_t:s0 key=(null) 
type=AVC msg=audit(09/07/2015 15:26:51.078:3156) : avc:  granted  { create } for  pid=10849 comm=ip6tables name=xtables.lock scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file 
----
Comment 4 Miroslav Grepl 2015-09-08 18:21:47 UTC 
Which service does it causes and is running as unconfined_service_t?
Comment 5 Milos Malik 2015-09-09 09:34:27 UTC 
I don't know. Here is another reproducer of the issue:

 * https://bugzilla.redhat.com/show_bug.cgi?id=1243403#c17
Comment 6 Miroslav Grepl 2015-09-10 15:17:33 UTC 

*** This bug has been marked as a duplicate of bug 1243403 ***