Bug 1589257

Summary: SELinux map denials for dlm_controld
Product: Red Hat Enterprise Linux 7 Reporter: Nate Straz <nstraz>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: cluster-qe, cmarthal, gfs2-maint, lvrabec, mgrepl, mmalik, nstraz, plautrba, ssekidde
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-207.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:05:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1460322, 1592244    
Bug Blocks:    

Description Nate Straz 2018-06-08 14:20:59 UTC 
Description of problem:

The new map permission is preventing dlm_controld from working.

time->Fri Jun  8 08:25:47 2018
type=PROCTITLE msg=audit(1528464347.834:1820): proctitle=646C6D5F636F6E74726F6C64002D730030
type=SYSCALL msg=audit(1528464347.834:1820): arch=c000003e syscall=62 success=yes exit=0 a0=1988 a1=0 a2=31bdcd43 a3=7f33d9eaac8c items=0 ppid=1 pid=6837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
type=AVC msg=audit(1528464347.834:1820): avc:  denied  { signull } for  pid=6837 comm="dlm_controld" scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=process permissive=1
----
time->Fri Jun  8 08:28:13 2018
type=PROCTITLE msg=audit(1528464493.898:2011): proctitle=646C6D5F636F6E74726F6C64002D730030
type=SYSCALL msg=audit(1528464493.898:2011): arch=c000003e syscall=9 success=yes exit=140103362539520 a0=0 a1=203c a2=3 a3=1 items=0 ppid=1 pid=3313 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
type=AVC msg=audit(1528464493.898:2011): avc:  denied  { map } for  pid=3313 comm="dlm_controld" path="/dev/shm/qb-cfg-request-2950-3313-26-header" dev="tmpfs" ino=184402 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file permissive=1

#============= dlm_controld_t ==============
allow dlm_controld_t cluster_t:process signull;
allow dlm_controld_t cluster_tmpfs_t:file map;


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-202.el7.noarch

How reproducible:
Easily

Steps to Reproduce:
1. Try to start dlm or clvmd in a cluster
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Milos Malik 2018-06-08 14:48:36 UTC 
Which repository do I need to successfully install /usr/sbin/dlm_controld ?
Comment 2 Nate Straz 2018-06-08 15:27:50 UTC 
The dlm package is in the ResilientStorage add-on.
Comment 4 Lukas Vrabec 2018-06-28 07:52:05 UTC 
*** Bug 1595961 has been marked as a duplicate of this bug. ***
Comment 5 Corey Marthaler 2018-06-28 14:56:36 UTC 
If bug 1595961 is a dup of this one, then it's not fixed yet since I'm running 3.13.1-204.el7

type=SYSCALL msg=audit(1530137630.720:4282): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=203c a2=3 a3=1 items=0 ppid=55019 pid=55048 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
type=PROCTITLE msg=audit(1530137630.720:4282): proctitle=646C6D5F636F6E74726F6C64002D7330002D44

type=AVC msg=audit(1530138242.266:4283): avc:  denied  { map } for  pid=56401 comm="dlm_controld" path="/dev/shm/qb-cfg-request-40924-56401-25-header" dev="tmpfs" ino=474115 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1530138242.266:4283): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=203c a2=3 a3=1 items=0 ppid=1 pid=56401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)


[root@harding-02 audit]# ausearch -m AVC -ts yesterday | audit2allow

#============= dlm_controld_t ==============
allow dlm_controld_t cluster_tmpfs_t:file map;



[root@harding-02 audit]# rpm -qi selinux-policy
Name        : selinux-policy
Version     : 3.13.1
Release     : 204.el7
Architecture: noarch
Install Date: Tue 26 Jun 2018 10:46:53 AM CDT
Group       : System Environment/Base
Size        : 6478
License     : GPLv2+
Signature   : RSA/SHA256, Thu 14 Jun 2018 01:58:39 PM CDT, Key ID 199e2f91fd431d51
Source RPM  : selinux-policy-3.13.1-204.el7.src.rpm
Build Date  : Thu 14 Jun 2018 11:52:43 AM CDT
Build Host  : arm64-011.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117
Comment 7 Corey Marthaler 2018-07-02 20:30:45 UTC 
Fix verified in selinux-policy-3.13.1-207.el7.
Comment 9 errata-xmlrpc 2018-10-30 10:05:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111