Bug 1349798
Summary: | Denial AVC's related to dbus daemon is seen in audit.logs | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Shashank Raj <sraj> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | |
Priority: | high | |||
Version: | 7.2 | CC: | aloganat, bkunal, jthottan, kkeithle, lvrabec, mgrepl, mmalik, mzywusko, ndevos, plautrba, pprakash, pvrabec, rcyriac, rhs-bugs, sbhaloth, skoduri, ssekidde, storage-qa-internal | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-107.el7 | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
Configuring ganesha(2.3.1-8).
Consequence:
SELinux denials appeared in audit.log. These AVC's blocking communication between cluster_t domain and fprintd_t domain via dbus.
Fix:
Allow communication between cluster_t and fprintd_t via dbus in Security SELinux policy.
Result:
cluster_t and fprintd_t domains can communicatate via dbus and there are no denials in audit.log
|
Story Points: | --- | |
Clone Of: | 1349796 | |||
: | 1393494 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 15:12:40 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1393494 |
Comment 4
Shashank Raj
2016-09-30 11:22:39 UTC
I tried setting up ganesha on RHGS ISO based on RHEL7.3 and encountered following avc's: type=USER_AVC msg=audit(1478610842.335:9956): pid=700 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.955 spid=27072 tpid=26238 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' and the pcs cluster auth fails with following error :failed: [10.70.47.161] (item=10.70.46.128) => {"changed": true, "cmd": "pcs cluster auth -u hacluster -p hacluster 10.70.46.128", "delta": "0:00:55.672225", "end": "2016-11-08 08:44:01.921278", "failed": true, "item": "10.70.46.128", "rc": 1, "start": "2016-11-08 08:43:06.249053", "stderr": "Error: Unable to communicate with 10.70.46.128", "stdout": "", "stdout_lines": [], "warnings": []} This needs to be fixed sooner as nfs-ganesha setup will fail on 7.3 based RHGS ISO. Please suggest the workaround or local policy for this issue. # cat bz1349798.te policy_module(bz1349798,1.0) require { type fprintd_t; type cluster_t; class dbus { send_msg }; } allow fprintd_t cluster_t : dbus { send_msg }; allow cluster_t fprintd_t : dbus { send_msg }; # make -f /usr/share/selinux/devel/Makefile Compiling targeted bz1349798 module /usr/bin/checkmodule: loading policy configuration from tmp/bz1349798.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/bz1349798.mod Creating targeted bz1349798.pp policy package rm tmp/bz1349798.mod tmp/bz1349798.mod.fc # semodule -i bz1349798.pp # Verified above policy and it works fine.The hacluster error is not seen and there are no AVC's. Milos, Do you have any insights on why these AVCs are seen with only ISO but not with layered install of RHGS server on RHEL7? The D-bus communication, which was denied, involves two processes (not counting the system D-bus server). One of them is running under cluster_t and second of them as fprintd_t. The fact that we don't see the SELinux denials could be caused by: * fprintd package was not installed or there was no process running under fprintd_t context * there was no process running under cluster_t * audit daemon (which collects SELinux denials) was not running With the last comment(C#11) It seems that it is possible to see the issue even with layered install if we meet above criteria. May be QE team should test layered install with above scenario(C#11) as well. This will help us in documenting issue properly till the time issue gets fixed in RHEL. I obviously meant above comment for Gluster team. https://bugzilla.redhat.com/show_bug.cgi?id=1349796 is verified on RHGS with latest selinux build. selinux-policy-3.13.1-102.el7_3.6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |