| Summary: |
selinux-policy for sbd needs to be updated because of changes in pacemaker |
| Product: |
Red Hat Enterprise Linux 7
|
Reporter: |
Miroslav Lisik <mlisik> |
| Component: |
selinux-policy | Assignee: |
Lukas Vrabec <lvrabec> |
| Status: |
CLOSED
INSUFFICIENT_DATA
|
QA Contact: |
Milos Malik <mmalik> |
| Severity: |
urgent
|
Docs Contact: |
|
| Priority: |
urgent
|
|
|
| Version: |
7.7 | CC: |
cfeist, jpokorny, kgaillot, kwenning, lvrabec, mmalik, plautrba, ssekidde, vmojzis, zpytela
|
| Target Milestone: |
rc | |
|
| Target Release: |
--- | |
|
| Hardware: |
Unspecified | |
|
| OS: |
Unspecified | |
|
| Whiteboard: |
|
|
Fixed In Version:
|
|
Doc Type:
|
If docs needed, set a value
|
|---|
|
Doc Text:
|
|
Story Points:
|
---
|
|---|
|
Clone Of:
|
|
Environment:
|
|
|---|
|
Last Closed:
|
2019-07-01 19:36:11 UTC
|
Type:
|
Bug
|
|---|
|
Regression:
|
---
|
Mount Type:
|
---
|
|---|
|
Documentation:
|
---
|
CRM:
|
|
|---|
|
Verified Versions:
|
|
Category:
|
---
|
|---|
|
oVirt Team:
|
---
|
RHEL 7.3 requirements from Atomic Host:
|
|
|---|
|
Cloudforms Team:
|
---
|
Target Upstream Version:
|
|
|---|
|
Embargoed:
|
|
| |
|---|
| Bug Depends On: |
1723498, 1733905
|
|
|
| Bug Blocks: |
|
|
|
Description of problem: Recent security fixes for pacemaker introduces changes in library functions which leads to avc denials for sbd. Sbd does not work properly in se-linux enforcing mode. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-251.el7.noarch selinux-policy-devel-3.13.1-251.el7.noarch selinux-policy-3.13.1-251.el7.noarch How reproducible: always Steps to Reproduce: 1. Setup a 3-node cluster with sbd watchdog-only fencing (watchdog device is needed on cluster nodes): On all nodes for cluster: [root@tardis-01 ~]# yum -y -q install pcs sbd [root@tardis-01 ~]# echo password | passwd hacluster --stdin Changing password for user hacluster. passwd: all authentication tokens updated successfully. [root@tardis-01 ~]# systemctl enable pcsd [root@tardis-01 ~]# systemctl start pcsd On one node: [root@tardis-01 ~]# pcs cluster auth -u hacluster -p password tardis-0{1..3} ... [root@tardis-01 ~]# pcs cluster setup --name HACluster tardis-0{1..3} ... [root@tardis-01 ~]# pcs stonith sbd enable ... 2. Gather AVCs by starting and stopping cluster: [root@tardis-01 ~]# > /var/log/audit/audit.log [root@tardis-01 ~]# pcs cluster start --all --wait && sleep 10 && pcs cluster stop --all ... Actual results: ENFORCING MODE: A lot of these: [root@tardis-01 ~]# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent <snip> ---- type=PROCTITLE msg=audit(06/26/2019 16:58:30.364:4704) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 16:58:30.364:4704) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 16:58:30.364:4704) : avc: denied { read } for pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(06/26/2019 16:58:31.369:4705) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 16:58:31.369:4705) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 16:58:31.369:4705) : avc: denied { read } for pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(06/26/2019 16:58:32.376:4706) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 16:58:32.376:4706) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 16:58:32.376:4706) : avc: denied { read } for pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(06/26/2019 16:58:33.382:4707) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 16:58:33.382:4707) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 16:58:33.382:4707) : avc: denied { read } for pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 PERMISSIVE MODE: [root@tardis-01 ~]# setenforce 0 [root@tardis-01 ~]# semodule -DB [root@tardis-01 ~]# > /var/log/audit/audit.log [root@tardis-01 ~]# pcs cluster start --all --wait && sleep 10 && pcs cluster stop --all ... [root@tardis-01 ~]# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent ---- type=PROCTITLE msg=audit(06/26/2019 17:00:54.748:4725) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 17:00:54.748:4725) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7fd90efc8552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=17145 pid=17147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 17:00:54.748:4725) : avc: denied { open } for pid=17147 comm=sbd path=/etc/passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(06/26/2019 17:00:54.748:4725) : avc: denied { read } for pid=17147 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(06/26/2019 17:00:54.748:4726) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 17:00:54.748:4726) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x6 a1=0x7ffc61713490 a2=0x7ffc61713490 a3=0x0 items=0 ppid=17145 pid=17147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 17:00:54.748:4726) : avc: denied { getattr } for pid=17147 comm=sbd path=/etc/passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(06/26/2019 17:01:17.242:4734) : proctitle=/sbin/dhclient -d -q -sf /usr/libexec/nm-dhcp-helper -pf /var/run/dhclient-enp4s0f1.pid -lf /var/lib/NetworkManager/dhclient-aec type=SYSCALL msg=audit(06/26/2019 17:01:17.242:4734) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55731780cbc2 a1=0x5573178ce3d0 a2=0x557317803d70 a3=0x7ffea756fa20 items=0 ppid=1540 pid=17328 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhclient exe=/usr/sbin/dhclient subj=system_u:system_r:dhcpc_t:s0 key=(null) type=AVC msg=audit(06/26/2019 17:01:17.242:4734) : avc: denied { noatsecure } for pid=17328 comm=dhclient scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 type=AVC msg=audit(06/26/2019 17:01:17.242:4734) : avc: denied { siginh } for pid=17328 comm=dhclient scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 type=AVC msg=audit(06/26/2019 17:01:17.242:4734) : avc: denied { rlimitinh } for pid=17328 comm=dhclient scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 ---- type=PROCTITLE msg=audit(06/26/2019 17:01:32.274:4735) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 17:01:32.274:4735) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x431b a1=SIG0 a2=0x105563c5 a3=0x7ffc617131e0 items=0 ppid=17145 pid=17147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 17:01:32.274:4735) : avc: denied { signull } for pid=17147 comm=sbd scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=process permissive=1 Expected results: No AVC denials for sbd Additional info: Sbd does not take any action after quorum loss/network-split. pacemaker z-stream version: pacemaker-1.1.19-8.el7_6.5