Bug 1715134
| Summary: | sbd is unable to set rt-priority if CPUAccounting is enabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Klaus Wenninger <kwenning> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | cfeist, cluster-maint, cluster-qe, lvrabec, mlisik, mmalik, plautrba, sbradley, ssekidde, zpytela |
| Target Milestone: | rc | Keywords: | AutoVerified |
| Target Release: | 8.1 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-12.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1713021 | Environment: | |
| Last Closed: | 2019-11-05 22:11:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1713021 | ||
| Bug Blocks: | 1713023, 1715136 | ||
Klaus, based on https://bugzilla.redhat.com/show_bug.cgi?id=1713021#c3 it seems this permission is required as well - is it correct? allow sbd_t cgroup_t:dir write; Zdenek, Good question! Iirc I've quite intensively tested selinux-policy-3.14.3-8.el8 on my rhel-8.0.0-setup and didn't find any issues (everything working well and no denials logged). Would writing to existent files require that property? Klaus Klaus, The permission reported in Milos's AVC was "writing to a directory", i. e. creating a new file. Maybe reboot is required to test the scenario completely? (In reply to Zdenek Pytela from comment #18) > Klaus, > > The permission reported in Milos's AVC was "writing to a directory", i. e. > creating a new file. Maybe reboot is required to test the scenario > completely? Hmm .. mystery only writing line is f = fopen("/sys/fs/cgroup/cpu/tasks", "w"); and that one is present regardless of if cpu-accounting is on or off. All others are mode = "rt". Klaus, So is the latest AVC required to make sbd work smoothly on RHEL8? Thanks, Lukas. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |
I've done some logging in permissive-mode (enforcing would bail out after the first attempt and omit the rest). But I'm not sure if I really see the traces of all the actions that I had expected to trigger. Whenever it is 'system.slice' this can of course be any slice that was configured in the unit-file. time->Fri May 31 16:35:46 2019 type=USER_AVC msg=audit(1559313346.290:437): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Fri May 31 16:35:46 2019 type=PROCTITLE msg=audit(1559313346.302:438): proctitle=2F7573722F7362696E2F736264002D76002D70002F7661722F72756E2F7362642E706964007761746368 type=SYSCALL msg=audit(1559313346.302:438): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=555abc530b20 a2=0 a3=0 items=0 ppid=3571 pid=3573 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sbd" exe="/usr/sbin/sbd" subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(1559313346.302:438): avc: denied { open } for pid=3573 comm="sbd" path="/sys/fs/cgroup/cpu,cpuacct/cpu.rt_runtime_us" dev="cgroup" ino=12 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 type=AVC msg=audit(1559313346.302:438): avc: denied { read } for pid=3573 comm="sbd" name="cpu.rt_runtime_us" dev="cgroup" ino=12 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 type=AVC msg=audit(1559313346.302:438): avc: denied { read } for pid=3573 comm="sbd" name="cpu" dev="tmpfs" ino=88 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1559313346.302:438): avc: denied { search } for pid=3573 comm="sbd" name="/" dev="tmpfs" ino=59 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- time->Fri May 31 16:35:46 2019 type=PROCTITLE msg=audit(1559313346.303:439): proctitle=2F7573722F7362696E2F736264002D76002D70002F7661722F72756E2F7362642E706964007761746368 type=SYSCALL msg=audit(1559313346.303:439): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff73944230 a2=7fff73944230 a3=0 items=0 ppid=3571 pid=3573 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sbd" exe="/usr/sbin/sbd" subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(1559313346.303:439): avc: denied { getattr } for pid=3573 comm="sbd" path="/sys/fs/cgroup/cpu,cpuacct/system.slice/cpu.rt_runtime_us" dev="cgroup" ino=31 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 ---- time->Fri May 31 16:35:46 2019 type=PROCTITLE msg=audit(1559313346.303:440): proctitle=2F7573722F7362696E2F736264002D76002D70002F7661722F72756E2F7362642E706964007761746368 type=SYSCALL msg=audit(1559313346.303:440): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=555abc5310a4 a2=241 a3=1b6 items=0 ppid=3571 pid=3573 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sbd" exe="/usr/sbin/sbd" subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(1559313346.303:440): avc: denied { write } for pid=3573 comm="sbd" name="tasks" dev="cgroup" ino=5 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1