Bug 1472171

Summary: SELinux doesn't allow CTDB to set system resource limits
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Anoop C S <anoopcs>
Component: ctdbAssignee: Anoop C S <anoopcs>
Status: CLOSED CURRENTRELEASE QA Contact: Vivek Das <vdas>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rhgs-3.3CC: amukherj, gdeschner, rhinduja, rhs-smb, sheggodu
Target Milestone: ---   
Target Release: RHGS 3.4.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-174.el7 Doc Type: Bug Fix
Doc Text:
Cause: Under 'Enforcing' mode SELinux policy doesn't allow CTDB to change resource limit for maximum number of open files via configuration parameter CTDB_MAX_OPEN_FILES. Consequence: With higher number of clients connection to Samba-CTDB Cluster, CTDB fails to operate with too many open files warning as the resource limit cannot be changed. Fix: Updated the SELinux policy to allow CTDB to change resource limit based on its configuration parameters. Result: CTDB's resource limit for maximum number of open files can be changed with increasing number of clients.
 Story Points: ---
Clone Of:
: 1491235 (view as bug list) Environment:
Last Closed: 2018-09-06 04:18:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1491235    
Bug Blocks: 1503134    

Description Anoop C S 2017-07-18 08:27:52 UTC 
Description of problem:
By default CTDB provides the standard way for defining a configuration parameter named CTDB_MAX_OPEN_FILES[see man ctdbd.conf(5)] which when set to a particular value will re-configure the resource limit for maximum number of open files. But in an environment where SELinux is set to 'Enforcing' following dAVC enials are seen in audit logs and thereby fails to change the corresponding limits:

type=AVC msg=audit(1500360590.186:345): avc:  denied  { sys_resource } for  pid=6031 comm="ctdbd_wrapper" capability=24  scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1500360590.186:345): arch=c000003e syscall=160 success=no exit=-1 a0=7 a1=7fff4bd7c780 a2=2 a3=7f8781c0dee0 items=0 ppid=1 pid=6031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdbd_wrapper" exe="/usr/bin/bash" subj=system_u:system_r:ctdbd_t:s0 key=(null)

type=AVC msg=audit(1500363357.648:1214): avc:  denied  { sys_resource } for  pid=28137 comm="ctdbd_wrapper" capability=24  scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctd
bd_t:s0 tclass=capability
type=AVC msg=audit(1500363357.648:1214): avc:  denied  { setrlimit } for  pid=28137 comm="ctdbd_wrapper" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=process
type=SYSCALL msg=audit(1500363357.648:1214): arch=c000003e syscall=160 success=yes exit=0 a0=7 a1=7fffd21a2c10 a2=2 a3=7f8ef21d7ee0 items=0 ppid=1 pid=28137 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdbd_wrapper" exe="/usr/bin/bash" subj=system_u:system_r:ctdbd_t:s0 key=(null)


Version-Release number of selected component (if applicable):
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 Beta (Maipo)
# cat /etc/redhat-storage-release 
Red Hat Gluster Storage Server 3.3.0
# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
selinux-policy-3.13.1-102.el7_3.16.noarch
# rpm -qa | grep ctdb
ctdb-tests-4.6.3-3.el7rhgs.x86_64
ctdb-4.6.3-3.el7rhgs.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Have a RHGS Samba-CTDB setup.
2. Make sure that SELinux is set to 'Enforcing'.
# getenforce
Enforcing
3. Add the following to /etc/sysconfig/ctdb.
CTDB_MAX_OPEN_FILES=16384
4. Start/Re-start ctdb service.
5. Check the resource limit.
# cat /proc/`pgrep ctdbd`/limits | grep "open files"
Max open files            1024                 4096                 files
6. Check audit logs for AVC on sys_resource
7. Change SELinux mode from 'Enforcing' to 'Permissive'.
#setenforce 0
8. Restart ctdb service.
9. Check resource limit.
# cat /proc/`pgrep ctdbd`/limits | grep "open files"
Max open files            16384                16384                files
10. Check for AVCs in audit logs.

Actual results:
AVC denials are seen and resource limits are not changed in 'Enforcing' mode.

Expected results:
No AVCs must be present in audit logs and resource limits should be changed.

Additional info:
# sesearch --allow | grep "allow ctdbd_t ctdbd_t : capability "
   allow ctdbd_t ctdbd_t : capability { chown net_bind_service net_admin net_raw ipc_lock sys_nice } ; 
# sesearch --allow | grep "allow ctdbd_t ctdbd_t : process "
   allow ctdbd_t ctdbd_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap } ;
Comment 5 Vivek Das 2018-03-13 13:24:51 UTC 
Followed the steps to reproduce

1. Have a RHGS Samba-CTDB setup.
2. Make sure that SELinux is set to 'Enforcing'.
# getenforce
Enforcing
3. Add the following to /etc/sysconfig/ctdb.
CTDB_MAX_OPEN_FILES=16384
4. Start/Re-start ctdb service.
5. Check the resource limit.
# cat /proc/`pgrep ctdbd`/limits | grep "open files"
Max open files            1024                 4096                 files
6. Check audit logs for AVC on sys_resource

No AVCs are present in audit logs and resource limits are updated.

cat /proc/`pgrep ctdbd`/limits | grep "open files"
Max open files            16384                16384                files

Version
selinux-policy-targeted-3.13.1-189.el7.noarch
samba-4.7.5-101.el7rhgs.x86_64