Bug 189584

Summary: Not able to create new namespaces with selinux set to enforced on RHEL 4 U2
Product: Red Hat Enterprise Linux 4 Reporter: Ramesh Hegde <rameshh>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: dwalsh, james.antill, jvdias
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2006-0373 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-10 21:21:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 181409    

Description Ramesh Hegde 2006-04-21 12:31:56 UTC
Description of problem:
cimmof command fails to create new namespace when run with selinux set to 
enforced on RHEL 4 U2. However problem can also be resolved by starting 
cimserver using comannd "cimserver" instead of staring it 
using "/etc/init.d/tog-pegasus start". 



Version-Release number of selected component (if applicable):
tog-pegasus-2.4.1

How reproducible:


Steps to Reproduce:
1.Make sure selinux is in the enforced mode ( cat /etc/selinux/config and check 
that SELINUX=enforcing is set). If not set , set it and reboot the system 

2.Start the cimserver using the command "/etc/init.d/tog-pegasus restart" 

3.Compile any sample MOF file with a new namespace . Ex: cimmof -
nroot/testnamespace Sample.mof

  
Actual results:
The above compilation will fail with the following error 
 Error: CIM_ERR_FAILED: A general error occurred that is not covered by a more 
specific error code: "cannot create 
directory: /var/lib/Pegasus/repository/root#testnamespace"
Failed to set DefaultNamespacePath.


Expected results:

Should compile without any errors and should 
create /var/lib/Pegasus/repository/root#testnamespace directory.

Additional info:
Note that the problem occurs only if the selinux is in the enforced mode.

Comment 2 James Antill 2006-04-27 13:52:23 UTC
Fixed in errata: 1.17.30-2.133

Comment 3 Jason Vas Dias 2006-05-02 22:27:00 UTC
Unfortunately, this bug is not quite fixed yet. 
Now that the upstream OpenPegasus have fixed their upstream bug 4968 ,
allowing CMPI Providers to run with 'forceProviderProcesses=true', the
HP testing of the proposed RHEL-4 tog-pegasus release has turned up some 
more AVCs, when running with 'forceProviderProcesses=true' and accessing 
CMPI providers:

1. cimserver and cimprovagt need to be able to do 'chown' .
'
   allow pegasus_t self:capability chown;
'
   When pegasus LocalAuthentication is being used for clients connecting over
   the /var/run/tog-pegasus/cimxml.socket UNIX socket, cimserver will create
   a /var/lib/Pegasus/cache/localauth/user-${cookie} file, and "chown" that file
   to the uid of the requesting user, making it have mode 0400 ; then the 
   requesting user process must read the contents of that file, and report 
   them back to the cimserver to gain access.

2. cimserver cannot talk to cimprovagt CMPI Providers, which can attempt to
   connect back to the server using the /var/run/tog-pegasus/cimxml.socket
   UNIX socket:
'
   allow pegasus_t self:unix_stream_socket connectto; 
'
   avc:  denied  { connectto } for pid=xxxx comm="cimprovagt"
name="cimxml.socket" context=root:system_r:pegasus_t
tcontext=root:system_r:pegasus_t tclass=unix_stream_socket

   cimprovagt must be able to connectto, read, and write the 
   /var/run/tog-pegasus/cimxml.socket .

3. When running cimprovagt for the sblim-cmpi-base providers, cimprovagt
   may need to talk to other processes on FIFO pipes:
'
   allow pegasus_t unconfined_t:fifo_file read;
'

Please can we try to get this extra policy into RHEL-4-U4, as HP's pegasus
testing depends on it - thanks, Jason.

Comment 4 Jason Vas Dias 2006-05-02 22:32:24 UTC
Another issue HP raised is that when cimserver is not run from the initscript,
it runs in 'root:system_r:unconfined_t' context;  only when run from the 
initscript does it run in context root:system_r:pegasus_t .
This can lead to inconsitent behavior and user confusion, as many pegasus
users are used to starting the cimserver manually with the 'cimserver' command.
Please can we make cimserver transition into pegasus_t when run from the command
line - thanks, Jason.



Comment 5 Daniel Walsh 2006-05-03 19:57:30 UTC
Problem with running the scripts in userspace is you end up needing to output to
the terminal which is not allowed in the default policy (I believe),

Also if you do something like cimserver > ~/pegasus.out

It will fail because pegasus is not allow to write to users homedirs.  This
confusion is why we don't transition from unconfined to pegasus_t only from
initrc_t.  Httpd, bind, ntpd ... all work the same.



Comment 13 Red Hat Bugzilla 2006-08-10 21:21:24 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0373.html