Bug 2142745
| Summary: | ctdb is not starting correctly with selinux in enforcing mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | michal novacek <mnovacek> |
| Component: | selinux-policy | Assignee: | Nikola Knazekova <nknazeko> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.1 | CC: | aboscatt, dkarpele, gdeschner, lvrabec, mmalik, pfilipen, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pfilipen:
needinfo?
(mnovacek) nknazeko: needinfo? (mnovacek) |
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-07-28 11:21:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi colleagues, can you please check this issue? It seems there is missing permission for pid=98669 comm="ctdb_mutex_fcnt" to access "/". Thank you, Pavel If you still have the machine where the SELinux denial appeared, please find the mislabeled directory: # find / -inum 4656 If you don't have the machine, please try to reproduce the problem again and let us know. There should be no files/directories with SELinux label unlabeled_t. When the hexadecimal data are converted to human-readable form: type=PROCTITLE msg=audit(11/15/2022 07:52:34.958:3630) : proctitle=/usr/libexec/ctdb/ctdb_mutex_fcntl_helper /mnt/gfs2-ctdb/ctdb/ctdb.lock Was the gfs2 volume properly mounted and labeled? forwarding the questions to Michal |
Description of problem: ctdb daemon does not run correctly when selinux is enforcing. Version-Release number of selected component (if applicable): RHEL9.1 How reproducible: Steps to Reproduce: 1. set selinux to permissive 2. watch ctdb and samba start correctly 3. set selinux to enforcing 4. watch ctdb not starting Actual results: ctdb not starting Expected results: ctdb starting Additional info: [root@virt-531 ~]# ausearch -m AVC ---- time->Tue Nov 15 07:52:34 2022 type=PROCTITLE msg=audit(1668495154.958:3630): proctitle=2F7573722F6C6962657865632F637464622F637464625F6D757465785F66636E746C5F68656C706572002F6D6E742F676673322D637464622F637464622F637464622E6C6F636B type=SYSCALL msg=audit(1668495154.958:3630): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffebe8a8843 a2=42 a3=180 items=0 ppid=98651 pid=98669 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdb_mutex_fcnt" exe="/usr/libexec/ctdb/ctdb_mutex_fcntl_helper" subj=system_u:system_r:ctdbd_t:s0 key=(null) type=AVC msg=audit(1668495154.958:3630): avc: denied { search } for pid=98669 comm="ctdb_mutex_fcnt" name="/" dev="dm-2" ino=4656 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0