Bug 2061277

Hi,
thank you for the report. This is happening because of corosync calling corosync-cfgtool to instruct corosync reopen all log files. corosync-cfgtool is using unix socket for communication so corosync-cfgtool must have access to the socket.

The problem you see is because of enabled selinux and logrotate running using logrotate_t context which is not allowed to connect to corosync unix socket.

The setroubleshoot helps and shows solution:
setsebool -P daemons_enable_cluster_mode 1

When you enable this boolean logrotate will work.

Still investigating if this is new to RHEL 9 (logrotate using cfgtool -L is used for all corosync 3.x -> all of RHEL 8, so it shouldn't).

Ok so found out major differences between RHEL 8 and 9.

1. Because of old libqb without support for logfiles reopening corosync still uses "copytruncate" method
2. logrotate in RHEL 8 is not systemd one-time service (triggered by timer) but rather crond script so potential failures are not service failures

So right now I can see two possible solutions:
1. Add rule to selinux policy which would allow running cfgtool in logrotate context
2. Make corosync to use "copytruncate" logrotate again

So I will try to reassign to selinux team and see their opinion.

@selinux-policy maintainer(s):

would it be possible to add rule similar to generated by audit2allow to selinux policy?

```
module my-corosynccfgtoo 1.0;

require {
type logrotate_t;
type cluster_t;
class unix_stream_socket connectto;
}

#============= logrotate_t ==============

#!!!! This avc is allowed in the current policy
allow logrotate_t cluster_t:unix_stream_socket connectto;

```

If not possible, please reassign back to corosync (and I will change rpm to use copytruncate logrotate config file again).

# setsebool -P daemons_enable_cluster_mode on

Above-mentioned command can be used as workaround before the bug is fixed:

# rpm -qa selinux\*
selinux-policy-34.1.27-1.el9.noarch
selinux-policy-targeted-34.1.27-1.el9.noarch
# sesearch -s logrotate_t -t cluster_t -c unix_stream_socket -p connectto -A
allow daemon daemon:unix_stream_socket connectto; [ daemons_enable_cluster_mode ]:True
#

Hi,
I've gave quick test to the updated policy and sadly it doesn't fix the problem. libqb is also mmaping/reading/writing files in /dev/shm so complete policy needed is:

```
module my-corosynccfgtoo 1.0;

require {
  type logrotate_t;
  type cluster_t;
  type cluster_tmpfs_t;
  class unix_stream_socket connectto;
  class file { map open read write };
}

#============= logrotate_t ==============

allow logrotate_t cluster_t:unix_stream_socket connectto;
allow logrotate_t cluster_tmpfs_t:file { open read write };
allow logrotate_t cluster_tmpfs_t:file map;

```

(I think "map" line could be merged with "open read write" - this is result of test-fail-audit2allow cycle with enforcing policy enabled)

I already discussed the following issue with @zpytela :

# matchpathcon /usr/sbin/corosync-cfgtool 
/usr/sbin/corosync-cfgtool	system_u:object_r:bin_t:s0
# ls -lZ /usr/sbin/corosync-cfgtool 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 24840 Nov 25 09:22 /usr/sbin/corosync-cfgtool
#

SELinux policy defines the transition, but the transition does not happen because of incorrect label on the corosync-cfgtool program.

*** Bug 2067501 has been marked as a duplicate of this bug. ***

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918