Bug 1514121

Summary: SELinux: apache can't bind port 10080
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Martin Bukatovic <mbukatov>
Component: web-admin-tendrl-selinuxAssignee: Nishanth Thomas <nthomas>
Status: CLOSED ERRATA QA Contact: Martin Bukatovic <mbukatov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rhgs-3.3CC: mkudlej, rcyriac, rhs-bugs, sanandpa, sankarshan, sds-qe-bugs
Target Milestone: ---Keywords: Security, SELinux, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tendrl-selinux-1.5.4-1.el7rhgs.noarch Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-18 04:37:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1514098    

Description Martin Bukatovic 2017-11-16 16:55:12 UTC 
Description of problem
======================

There is avc denial for apache trying to bind port 10080 (aka amanda port)
on Tendrl Server machine (the machine where RHGS WA is running).

Version-Release
===============

# rpm -qa | grep selinux | sort
carbon-selinux-1.5.3-2.el7rhgs.noarch
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.5.noarch
selinux-policy-targeted-3.13.1-166.el7_4.5.noarch
tendrl-grafana-selinux-1.5.3-2.el7rhgs.noarch
tendrl-selinux-1.5.3-2.el7rhgs.noarch

How reproducible
================

100 %

Steps to Reproduce
==================

1. Prepare machines with GlusterFS cluster, including some volume.
2. Install RHGS WA via tendrl-ansible there
   (this means that we are going to run in permissive mode system wide)
3. Log into the server machine, and check for avc error messages via:
   ausearch -m avc

Actual results
==============

In audit logs, there is the following SELinux denial:

```
# ausearch -m avc
----
time->Wed Nov 15 12:14:17 2017
type=PROCTITLE msg=audit(1510766057.727:3657): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1510766057.727:3657): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=55825d6d83a8 a2=1c a3=7ffedd5fa00c items=0 ppid=1 pid=19190 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1510766057.727:3657): avc:  denied  { name_bind } for  pid=19190 comm="httpd" src=10080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:amanda_port_t:s0 tclass=tcp_socket
```

This means that SELinux would prevent apache from listening on port 10080
(aka amanda port).

Expected results
================

There is no avc SELinux denial in audit logs.

Additional info
===============

See the upstream issue for more details:

https://github.com/Tendrl/tendrl-selinux/issues/1
Comment 2 Martin Bukatovic 2017-11-16 16:56:28 UTC 
Updating Version/Release section:

# rpm -qa | grep tendrl | sort 
tendrl-ansible-1.5.4-1.el7rhgs.noarch
tendrl-api-1.5.4-2.el7rhgs.noarch
tendrl-api-httpd-1.5.4-2.el7rhgs.noarch
tendrl-commons-1.5.4-2.el7rhgs.noarch
tendrl-grafana-plugins-1.5.4-3.el7rhgs.noarch
tendrl-grafana-selinux-1.5.3-2.el7rhgs.noarch
tendrl-monitoring-integration-1.5.4-3.el7rhgs.noarch
tendrl-node-agent-1.5.4-2.el7rhgs.noarch
tendrl-notifier-1.5.4-2.el7rhgs.noarch
tendrl-selinux-1.5.3-2.el7rhgs.noarch
tendrl-ui-1.5.4-2.el7rhgs.noarch
Comment 3 Martin Bukatovic 2017-11-20 08:42:35 UTC 
Moving this BZ into SELinux component.
Comment 5 Martin Bukatovic 2017-12-05 09:49:49 UTC 
Status update: there are many avc denials on both server and storage machines.

I need to investigate deeper and see which ones are actually a problem for us
(some of those, eg. from permissive domains, are expected).

Checking with tendrl-selinux-1.5.4-1.el7rhgs.noarch

[root@mbukatov-usm1-server ~] # ausearch -m avc | grep ^time | wc -l
799

[root@mbukatov-usm1-gl1 ~]# ausearch -m avc | grep ^time | wc -l
756
Comment 6 Martin Bukatovic 2017-12-05 09:52:22 UTC 
(In reply to Martin Bukatovic from comment #5)
> Status update: there are many avc denials on both server and storage
> machines.
> 
> I need to investigate deeper and see which ones are actually a problem for us
> (some of those, eg. from permissive domains, are expected).
> 
> Checking with tendrl-selinux-1.5.4-1.el7rhgs.noarch
> 
> [root@mbukatov-usm1-server ~] # ausearch -m avc | grep ^time | wc -l
> 799
> 
> [root@mbukatov-usm1-gl1 ~]# ausearch -m avc | grep ^time | wc -l
> 756

Ignore this comment, that should have been posted into tracker BZ instead.
Comment 7 Martin Bukatovic 2017-12-05 10:01:11 UTC 
Checking with: tendrl-selinux-1.5.4-1.el7rhgs.noarch

```
# rpm -qa | grep selinux | sort
carbon-selinux-1.5.4-1.el7rhgs.noarch
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.7.noarch
selinux-policy-targeted-3.13.1-166.el7_4.7.noarch
tendrl-grafana-selinux-1.5.4-1.el7rhgs.noarch
tendrl-selinux-1.5.4-1.el7rhgs.noarch
```

On RHGS WA server machine, there is no problem for apache to bind port 10080.

```
# ausearch -m avc | grep 'denied  { name_bind } for'
type=AVC msg=audit(1512465255.780:2961): avc:  denied  { name_bind } for  pid=14794 comm="puma" src=9292 scontext=system_u:system_r:tendrl_t:s0 tcontext=system_u:object_r:glance_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1512465450.079:4104): avc:  denied  { name_bind } for  pid=17214 comm="tendrl-monitori" src=8789 scontext=system_u:system_r:tendrl_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1512465463.058:4522): avc:  denied  { name_bind } for  pid=17816 comm="puma" src=9292 scontext=system_u:system_r:tendrl_t:s0 tcontext=system_u:object_r:glance_port_t:s0 tclass=tcp_socket
# lsof -i -nP | grep 10080
grafana-s 18069    grafana    4u  IPv4 170132      0t0  TCP 10.37.169.90:51460->10.37.169.90:10080 (ESTABLISHED)
httpd     31946       root    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31947     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31948     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31949     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31950     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31951     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31978     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31982     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31983     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
```

I have installed RHGS WA and imported the cluster without any problems.
Comment 9 errata-xmlrpc 2017-12-18 04:37:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3478