Bug 1349798

Summary: Denial AVC's related to dbus daemon is seen in audit.logs
Product: Red Hat Enterprise Linux 7 Reporter: Shashank Raj <sraj>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.2CC: aloganat, bkunal, jthottan, kkeithle, lvrabec, mgrepl, mmalik, mzywusko, ndevos, plautrba, pprakash, pvrabec, rcyriac, rhs-bugs, sbhaloth, skoduri, ssekidde, storage-qa-internal
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-107.el7 Doc Type: Bug Fix
Doc Text:
Cause: Configuring ganesha(2.3.1-8). Consequence: SELinux denials appeared in audit.log. These AVC's blocking communication between cluster_t domain and fprintd_t domain via dbus. Fix: Allow communication between cluster_t and fprintd_t via dbus in Security SELinux policy. Result: cluster_t and fprintd_t domains can communicatate via dbus and there are no denials in audit.log
 Story Points: ---
Clone Of: 1349796
: 1393494 (view as bug list) Environment:
Last Closed: 2017-08-01 15:12:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1393494    

Comment 4 Shashank Raj 2016-09-30 11:22:39 UTC 
This issue is seen with RHEL 7 in recent testing because of which pcs cluster authentication sometimes fails and results in failure of setting up nfs-ganesha cluster.

Mostly seen while we install RHGS using ISO.

We will be needing a fix for this in RHEL 7 next update
Comment 6 surabhi 2016-11-08 18:42:40 UTC 
I tried setting up ganesha on RHGS ISO based on RHEL7.3 and encountered following avc's:

type=USER_AVC msg=audit(1478610842.335:9956): pid=700 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.955 spid=27072 tpid=26238 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


and the pcs cluster auth fails with following error

:failed: [10.70.47.161] (item=10.70.46.128) => {"changed": true, "cmd": "pcs cluster auth -u hacluster -p hacluster 10.70.46.128", "delta": "0:00:55.672225", "end": "2016-11-08 08:44:01.921278", "failed": true, "item": "10.70.46.128", "rc": 1, "start": "2016-11-08 08:43:06.249053", "stderr": "Error: Unable to communicate with 10.70.46.128", "stdout": "", "stdout_lines": [], "warnings": []}

This needs to be fixed sooner as nfs-ganesha setup will fail on 7.3 based RHGS ISO.
Comment 7 surabhi 2016-11-09 08:15:41 UTC 
Please suggest the workaround or local policy for this issue.
Comment 8 Milos Malik 2016-11-09 09:20:01 UTC 
# cat bz1349798.te 
policy_module(bz1349798,1.0)

require {
  type fprintd_t;
  type cluster_t;
  class dbus { send_msg };
}

allow fprintd_t cluster_t : dbus { send_msg };
allow cluster_t fprintd_t : dbus { send_msg };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1349798 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1349798.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/bz1349798.mod
Creating targeted bz1349798.pp policy package
rm tmp/bz1349798.mod tmp/bz1349798.mod.fc
# semodule -i bz1349798.pp
#
Comment 9 surabhi 2016-11-09 09:49:55 UTC 
Verified above policy and it works fine.The hacluster error is not seen and there are no AVC's.
Comment 10 Soumya Koduri 2016-11-09 10:12:53 UTC 
Milos,
Do you have any insights on why these AVCs are seen with only ISO but not with layered install of RHGS server on RHEL7?
Comment 11 Milos Malik 2016-11-09 10:59:54 UTC 
The D-bus communication, which was denied, involves two processes (not counting the system D-bus server). One of them is running under cluster_t and second of them as fprintd_t. The fact that we don't see the SELinux denials could be caused by:
* fprintd package was not installed or there was no process running under fprintd_t context
* there was no process running under cluster_t
* audit daemon (which collects SELinux denials) was not running
Comment 12 Bipin Kunal 2016-11-09 11:34:20 UTC 
With the last comment(C#11) It seems that it is possible to see the issue even with layered install if we meet above criteria. 

May be QE team should test layered install with above scenario(C#11) as well. 

This will help us in documenting issue properly till the time issue gets fixed in RHEL.
Comment 13 Bipin Kunal 2016-11-09 11:37:14 UTC 
I obviously meant above comment for Gluster team.
Comment 19 surabhi 2016-11-18 09:21:11 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1349796 is verified on RHGS with latest selinux build.

selinux-policy-3.13.1-102.el7_3.6
Comment 22 errata-xmlrpc 2017-08-01 15:12:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861