Bug 1290514
| Summary: | (RHEL7) CTDB: SELinux: ctdb disablescript fails to execute because of SELinux avc's | |||
|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | surabhi <sbhaloth> | |
| Component: | samba | Assignee: | rhs-smb <rhs-smb> | |
| Status: | CLOSED ERRATA | QA Contact: | surabhi <sbhaloth> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | rhgs-3.1 | CC: | amukherj, madam, mmalik, nlevinki, rcyriac, sankarshan | |
| Target Milestone: | --- | Keywords: | ZStream | |
| Target Release: | RHGS 3.2.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-66.el7 | Doc Type: | Known Issue | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1292781 1293788 (view as bug list) | Environment: | ||
| Last Closed: | 2017-03-23 05:19:37 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1293788 | |||
| Bug Blocks: | 1268895, 1351522 | |||
Verified on RHEl7 setup , now disable of ctdb scripts doesn't fail and is successfully executed. There are no AVC's seen on the system. Marking the BZ verified. selinux-policy-3.13.1-102.el7_3.7.noarch selinux-policy-targeted-3.13.1-102.el7_3.7.noarch samba-4.4.6-4.el7rhgs.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0495.html |
Description of problem: While verifying the Ad integration documentation , executing following command fails on RHGS-samba server with CTDB. #onnode all ctdb disablescript 49.winbind # onnode all ctdb disablescript 50.samba ctdb disablescript 50.samba ../ctdb/client/ctdb_client.c:4677 ctdb_control for disablescript failed Unable to disable script 50.samba on node 0 log errors: 2015/12/10 16:04:28.425075 [22625]: Could not chmod /etc/ctdb/events.d/50.samba. Failed to disable script. 2015/12/10 17:19:10.749665 [16940]: Could not chmod /etc/ctdb/events.d/49.winbind. Failed to disable script. 2015/12/10 17:19:16.867862 [16940]: 49.winbind: ERROR: wbinfo -p returned error 2015/12/10 17:19:32.074212 [16940]: 49.winbind: ERROR: wbinfo -p returned error 2015/12/10 17:19:47.289260 [16940]: 49.winbind: ERROR: wbinfo -p returned error Also when trying to add follwoing to ctdb config file to have ctdb manage winbind: When CTDB_MANAGES_WINBIND=yes,the 49.winbind event script shows following AVC's: type=AVC msg=audit(1449749209.744:88166): avc: denied { getattr } for pid=11930 comm="49.winbind" path="/usr/bin/smbcontrol" dev="dm-0" ino=34684358 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file Running "ctdb disablescript 49.winbind" and "ctdb enablescript 49.winbind" type=AVC msg=audit(1449748690.806:87790): avc: denied { setattr } for pid=16940 comm="ctdbd" name="49.winbind" dev="dm-0" ino=100891958 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file Version-Release number of selected component (if applicable): ctdb-4.2.4-6.el7rhgs.x86_64 samba-4.2.4-6.el7rhgs.x86_64 glusterfs-3.7.5-8.el7rhgs.x86_64 selinux-policy-targeted-3.13.1-60.el7.noarch selinux-policy-3.13.1-60.el7.noarch How reproducible: when running # onnode all ctdb disablescript 49.winbind # onnode all ctdb disablescript 50.samba Steps to Reproduce: 1. Follow the Samba AD integration doc and run ctdb disablescript 49.winbind or ctdb disablescript 50.samba command and it fails to execute because of SELinux issues. 2. 3. Actual results: The command mentioned in AD-integration doc which disables winbind or samba script (so that CTDB doesn't go to unhealthy state when ctdb manages samba and winbind) fails with AVC errors. Expected results: The command should run successfully without throwing AVC's. More details coming up shortly. Additional info: