Bug 1671129
| Summary: | sbd daemon is not allowed to write/append to the /proc/sysrq-trigger | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Miroslav Lisik <mlisik> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.0 | CC: | jerry.hoemann, lvrabec, mmalik, plautrba, ssekidde, zpytela | |
| Target Milestone: | rc | |||
| Target Release: | 8.1 | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1671132 (view as bug list) | Environment: | ||
| Last Closed: | 2019-11-05 22:10:04 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1673107, 1682526 | |||
| Bug Blocks: | 1671132 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |
Description of problem: Sbd daemon is not allowed to write/append to the /proc/sysrq-trigger for reboot/off/panic action. Version-Release number of selected component (if applicable): # rpm -qa selinux-policy* selinux-policy-targeted-3.14.1-51.el8.noarch selinux-policy-3.14.1-51.el8.noarch How reproducible: always Steps to Reproduce: 1. install sbd package # yum -y -q install sbd 2. create loop device: # dd if=/dev/zero of=part-00 bs=1M count=400 # losetup /dev/loop0 part-00 3. create sbd heder on the loop device: # sbd -d /dev/loop0 create Initializing device /dev/loop0 Creating version 2.1 header on device 4 (uuid: db84b618-fb0b-4631-b6bc-54f3664d00a1) Initializing 255 slots on device 4 Device /dev/loop0 is initialized. 4. prepare sbd configuration file # cat > /etc/sysconfig/sbd <<EOF # enable debug mode, which does panic instead of reboot SBD_OPTS="-Z" SBD_DELAY_START=no SBD_DEVICE="/dev/loop0" SBD_PACEMAKER=yes SBD_STARTMODE=always SBD_WATCHDOG_DEV=/dev/null SBD_WATCHDOG_TIMEOUT=5 EOF 5. Modify sbd.service file to enable start service manualy: # sed -i "s/^RefuseManualStart=.*$/RefuseManualStart=false/" /usr/lib/systemd/system/sbd.service # sed -i "s/^RefuseManualStop=.*$/RefuseManualStop=false/" /usr/lib/systemd/system/sbd.service # systemctl daemon-reload 6. Start the sbd service: # systemctl start sbd # systemctl show sbd -p ActiveState ActiveState=active 7. Write 'reset' message to the slot on the sbd device (use sbd's list command to get the slot name). # sbd -d /dev/loop0 message $(sbd -d /dev/loop0 list | awk '{print $2}') reset Broadcast message from systemd-journald.lab.eng.brq.redhat.com (Wed 2019-01-30 20:39:16 CET): sbd[17401]: emerg: do_exit: Rebooting system: crashdump 8. check the avc messages # getenforce Enforcing # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i ---- type=PROCTITLE msg=audit(01/30/2019 20:39:16.015:1576) : proctitle=sbd: inquisitor type=SYSCALL msg=audit(01/30/2019 20:39:16.015:1576) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5652549be7ad a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=0 ppid=1 pid=17401 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(01/30/2019 20:39:16.015:1576) : avc: denied { append } for pid=17401 comm=sbd name=sysrq-trigger dev="proc" ino=4026532092 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=0 Actual results: sbd daemon is not allowed to write/append to the /proc/sysrq-trigger Expected results: sbd daemon is allowed to write/append to the /proc/sysrq-trigger ---------------- Additional info: The same issue was in bz1455631 where apppend/sys_boot were denied. a 'sys_boot' issue was solved by allow sbd_t sbd_t : capability { sys_boot } but allow sbd_t proc_t : dir { write } did not help to allow append to /proc/sysrq-trigger which has different context. # ls -lZ /proc/sysrq-trigger --w-------. 1 root root system_u:object_r:sysctl_t:s0 0 Jan 24 09:52 /proc/sysrq-trigger