Bug 1817432

Summary: Make "secure" temp files (by not saving them in /tmp)
Product: Red Hat Enterprise Linux 8 Reporter: Oyvind Albrigtsen <oalbrigt>
Component: resource-agentsAssignee: Oyvind Albrigtsen <oalbrigt>
Status: CLOSED WORKSFORME QA Contact: cluster-qe <cluster-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: agk, cfeist, cluster-maint, fdinitto, mjuricek, phagara
Target Milestone: rc   
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: resource-agents-4.1.1-46.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1817439 (view as bug list) Environment:
Last Closed: 2020-07-28 07:13:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1817439    

Description Oyvind Albrigtsen 2020-03-26 10:57:51 UTC 
Description of problem:
To avoid tmp race conditions, and possibly users or other software changing tmp files in /tmp this patch creates the patches in /run/resource-agents (defined by $HA_RSCTMP during ./configure).

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Setup ClusterMon
2. Check that it's using /run/resource-agents location instead of /tmp for temp files
3.

Actual results:


Expected results:


Additional info:
https://github.com/ClusterLabs/resource-agents/pull/1467
Comment 1 Patrik Hagara 2020-03-26 12:12:30 UTC 
The /var/run/resource-agents directory does not need the sticky bit set (no other dir under /var/run has it). This can be fixed in the resource-agents spec file.

The /var/run/resource-agents directory tree should get the "cluster_var_run_t" selinux label instead of default "var_run_t". A new BZ should be filed against selinux-policy.

Additionally, I think the selinux rules for cluster_var_run_t should be trimmed a bit, since as of now they inherit permissions from the var_run_t label, which is quite a handful (and these are only the "allowed to write to file" rules):

> [root@virt-123 ~]# sesearch -t cluster_var_run_t -c file -p write --allow
> allow abrt_dump_oops_t non_security_file_type:file { append create getattr ioctl link lock map open read rename setattr unlink write };
> allow chronyc_t non_security_file_type:file { append getattr ioctl lock open read write };
> allow cluster_t cluster_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
> allow daemon cluster_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
> allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
> allow ftpd_t non_security_file_type:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ ftpd_full_access ]:True
> allow glusterd_t non_security_file_type:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ gluster_export_all_rw ]:True
> allow kernel_t non_security_file_type:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ nfs_export_all_rw ]:True
> allow mount_t non_security_file_type:file { read write }; [ mount_anyfile ]:True
> allow nmbd_t non_security_file_type:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ samba_export_all_rw ]:True
> allow pegasus_openlmi_logicalfile_t non_security_file_type:file { append create getattr ioctl link lock open read rename setattr unlink write };
> allow postgresql_t cluster_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
> allow puppetagent_t non_security_file_type:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ puppetagent_manage_all_files ]:True
> allow rpm_script_t file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
> allow rpm_t file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
> allow rsync_t non_auth_file_type:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ rsync_full_access ]:True
> allow smbd_t non_security_file_type:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ samba_export_all_rw ]:True
> allow sysadm_t non_security_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
> allow system_dbusd_t non_security_file_type:file { read write };
> allow systemd_tmpfiles_t non_auth_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };

However, I'm not a selinux expert -- maybe this is fine.
Comment 2 Patrik Hagara 2020-03-26 12:19:34 UTC 
qa_ack+, reproducer in description (issues from comment#1 to be dealt with separately in other BZs)