Bug 1291194

Summary: (RHEL7) SELinux prevents ctdb from running commands to disable event scripts
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: surabhi <sbhaloth>
Component: sambaAssignee: Anoop C S <anoopcs>
Status: CLOSED CURRENTRELEASE QA Contact: storage-qa-internal <storage-qa-internal>
Severity: high Docs Contact:
Priority: unspecified    
Version: rhgs-3.3CC: anoopcs, gdeschner, madam, nlevinki, vdas
Target Milestone: ---Keywords: Reopened, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-199.el7 Doc Type: Known Issue
Doc Text:
Current SELinux policy prevents ctdb's 49.winbind event script from executing smbcontrol. This can create inconsistent state in winbind, because when a public IP address is moved away from a node, winbind fails to drop connections made through that IP address.
 Story Points: ---
Clone Of:
: 1292783 1293784 1572584 (view as bug list) Environment:
Last Closed: 2018-11-06 10:26:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1572584    
Bug Blocks: 1268895, 1293784    

Description surabhi 2015-12-14 09:28:03 UTC 
Description of problem:
*************************************************

1.when disablescript 49.winbind is executed and stopped winbind service where CTDB_MANAGES_WINBIND = yes
2. disablescript 50.samba executed and stopped smb service where CTDB_MANAGES_SAMBA= yes

the avc's are seen which shows ctdbd tries to execute smbcontrol and in ctdb logs there are permission errors.

the following AVC's are seen and the messages in ctdb logs:
*****************************************************************

type=AVC msg=audit(1450103321.941:71909): avc:  denied  { sigchld } for  pid=11716 comm="49.winbind" scontext=system_u:system_r:smbcontrol_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=process
type=AVC msg=audit(1450103321.941:71910): avc:  denied  { sigchld } for  pid=11225 comm="49.winbind" scontext=system_u:system_r:smbcontrol_t:s0 tcontext=system_u:system:

This is log from ctdb which shows the ctdb scriptstatus:

*****************************************************************
2015/12/14 19:58:59.021033 [22865]: Event script '49.winbind takeip eth0 10.70.47.175 22' timed out after 29.9s, count: 0, pid: 11715
2015/12/14 19:58:59.021071 [22865]: Ignoring hung script for eth0 10.70.47.175 22 call 5
2015/12/14 19:58:59.115333 [22865]: Hung-script: ===== Start of hung script debug for PID="11715", event="takeip" =====
2015/12/14 19:58:59.115365 [22865]: Hung-script: pstree -p -a 11715:
2015/12/14 19:58:59.134471 [22865]: Hung-script: /proc/1: Permission denied
2015/12/14 19:58:59.134658 [22865]: Hung-script: 
2015/12/14 19:58:59.182444 [22865]: Hung-script: ---- ctdb scriptstatus takeip: ----
2015/12/14 19:58:59.199553 [22865]: Hung-script: 11 scripts were executed last takeip cycle
2015/12/14 19:58:59.199662 [22865]: Hung-script: 00.ctdb              Status:OK    Duration:0.017 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199703 [22865]: Hung-script: 01.reclock           Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199735 [22865]: Hung-script: 10.interface         Status:OK    Duration:0.026 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199766 [22865]: Hung-script: 11.natgw             Status:OK    Duration:0.012 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199796 [22865]: Hung-script: 11.routing           Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199826 [22865]: Hung-script: 13.per_ip_routing    Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199855 [22865]: Hung-script: 20.multipathd        Status:OK    Duration:0.010 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199884 [22865]: Hung-script: 31.clamd             Status:OK    Duration:0.015 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199909 [22865]: Hung-script: 40.fs_use            Status:DISABLED    
2015/12/14 19:58:59.199939 [22865]: Hung-script: 40.vsftpd            Status:OK    Duration:0.013 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199968 [22865]: Hung-script: 41.httpd             Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.200000 [22865]: Hung-script: 49.winbind           Status:TIMEDOUT    Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.200022 [22865]: Hung-script:    OUTPUT:
2015/12/14 19:58:59.204283 [22865]: Hung-script: ===== End of hung script debug for PID="11715", event="takeip" =====


Version-Release number of selected component (if applicable):
ctdb-4.2.4-6.el7rhgs.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Explained in description
2.
3.

Actual results:
AVC's seen when ctdb disbalescript 49.winbind is executed and service winbind is stopped , it tries to execute smbcontrol which throws avc's.

Expected results:
There should not be any AVC's seen.

Additional info:
Comment 2 Michael Adam 2015-12-21 20:28:18 UTC 
We really should have some fix or workaround for this.

Ultimately this needs to be fixed in RHEL selinux policy, as far as I can tell, but this is broken in RHGS installs using CTDB_MANAGES_WINBIND for CTDB.
Comment 3 Michael Adam 2015-12-22 12:03:12 UTC 
The new ad documentation guide documents to use CTDB_MANAGES_WINBIND=yes and this was a possiblity before. This bug will prevent this setup from fully working. It is important to 

1. get it fixed in RHEL
2. if possible get a workaround (in the form of a local policy?) in the samba RPM.
Comment 5 Michael Adam 2016-02-01 22:52:05 UTC 
"prevents smbcontrol from using ctdb's 49.winbind event script" is wrong.

Correct is:

"prevents ctdb's 49.winbind event script from executing smbcontrol"
Comment 7 Michael Adam 2016-02-03 12:00:30 UTC 
Thanks, the text is good now!
Comment 12 Amar Tumballi 2018-04-19 04:17:13 UTC 
Closed the samba bugs in bulk when PM_Score was less than 0. As the team was working on few of them, opening all of them.