Bug 1937111

Summary: Add cluster_exec_t default context for /usr/lib/pcs/pcs_snmp_agent
Product: Red Hat Enterprise Linux 8 Reporter: Reid Wahl <nwahl>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: cfeist, cluster-maint, idevat, kmalyjur, lvrabec, mlisik, mmalik, mpospisi, omular, plautrba, rmetrich, ssekidde, tojeline
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.5Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-75.el8 Doc Type: Bug Fix
Doc Text:
Cause: The /usr/lib/pcs/pcs_snmp_agent file has the default lib_t type which is incorrect. Consequence: The pcs_snmp_agent process doesn't have the permission to write to the /var/log/pcsd directory. As a result, the pcs_snmp_agent service fails to start. Fix: The /usr/lib/pcs/pcs_snmp_agent file now has the cluster_exec_t type. Result: The pcs_snmp_agent service starts correctly and is able to write to its logs.
 Story Points: ---
Clone Of:
: 2029316 (view as bug list) Environment:
Last Closed: 2021-11-09 19:42:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Reid Wahl 2021-03-09 21:03:06 UTC 
Description of problem:

The pcs_snmp_agent service fails to start because /usr/lib/pcs/pcs_snmp_agent has the wrong context. It has lib_t when (AFAICT) it should have cluster_exec_t. Since it lacks cluster_exec_t, the pcs_snmp_agent process starts with context init_t, and it doesn't have permission to write to /var/log/pcsd.


Mar 09 12:30:27 fastvm-rhel-8-0-23 systemd[1]: Started SNMP agent for pacemaker cluster.
-- Subject: Unit pcs_snmp_agent.service has finished start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit pcs_snmp_agent.service has finished starting up.
-- 
-- The start-up result is done.
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]: Traceback (most recent call last):
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:   File "/usr/lib/pcs/pcs_snmp_agent", line 11, in <module>
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:     load_entry_point('pcs==0.10.6', 'console_scripts', 'pcs_snmp_agent')()
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:   File "/usr/lib/python3.6/site-packages/pcs/snmp/pcs_snmp_agent.py", line 79, in main
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:     setup_logging(is_debug())
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:   File "/usr/lib/python3.6/site-packages/pcs/snmp/pcs_snmp_agent.py", line 59, in setup_logging
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:     settings.LOG_FILE, encoding="utf8"
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:   File "/usr/lib64/python3.6/logging/handlers.py", line 437, in __init__
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:     logging.FileHandler.__init__(self, filename, mode, encoding, delay)
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:   File "/usr/lib64/python3.6/logging/__init__.py", line 1032, in __init__
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:     StreamHandler.__init__(self, self._open())
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:   File "/usr/lib64/python3.6/logging/__init__.py", line 1061, in _open
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]:     return open(self.baseFilename, self.mode, encoding=self.encoding)
Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]: PermissionError: [Errno 13] Permission denied: '/var/log/pcsd/pcs_snmp_agent.log'
Mar 09 12:30:28 fastvm-rhel-8-0-23 systemd[1]: pcs_snmp_agent.service: Main process exited, code=exited, status=1/FAILURE
Mar 09 12:30:28 fastvm-rhel-8-0-23 systemd[1]: pcs_snmp_agent.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- The unit pcs_snmp_agent.service has entered the 'failed' state with result 'exit-code'.


# ll -Zd /usr/lib/pcs/pcs_snmp_agent /usr/sbin/pcsd /var/log/pcsd
-rwxr-xr-x. 1 root root system_u:object_r:lib_t:s0             403 Aug 11  2020 /usr/lib/pcs/pcs_snmp_agent
-rwxr-xr-x. 1 root root system_u:object_r:cluster_exec_t:s0    383 Aug 11  2020 /usr/sbin/pcsd
drwx------. 2 root root system_u:object_r:cluster_var_log_t:s0 159 Mar  7 03:46 /var/log/pcsd


PCS is part of the RHEL High Availability product. I've CC'd the PCS developers for any additions or corrections that they might have for this request.

-----

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.14.3-54.el8

-----

How reproducible:

Always

-----

Steps to Reproduce:
1. Start pcs_snmp_agent.service with SELinux in Enforcing mode.

-----

Actual results:

The service fails with an error like the following:

Mar 09 12:30:28 fastvm-rhel-8-0-23 pcs_snmp_agent[82292]: PermissionError: [Errno 13] Permission denied: '/var/log/pcsd/pcs_snmp_agent.log'

-----

Expected results:

The service starts and writes to the /var/log/pcsd/pcs_snmp_agent.log file.
Comment 1 Reid Wahl 2021-03-10 00:40:10 UTC 
It might make sense to also give cluster_exec_t context to /usr/lib/pcs/pcs_internal, although the current lib_t context hasn't caused any known problems for that file.
Comment 6 Zdenek Pytela 2021-07-28 15:33:52 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/811
Comment 7 Zdenek Pytela 2021-07-28 20:15:36 UTC 
Commit to backport:
commit f8bbececbc075ba7a6da112ab9f596bf7cd32ab7 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed Jul 28 17:32:26 2021 +0200

    Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t
Comment 18 errata-xmlrpc 2021-11-09 19:42:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420