Bug 214674

Summary: openais attempts to write core file to /usr/sbin - prevented by SELinux
Product: Red Hat Enterprise Linux 5 Reporter: Len DiMaggio <ldimaggi>
Component: openaisAssignee: Steven Dake <sdake>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: cluster-maint, djansa, dwalsh, jlaska, kanderso, rkenna
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-28 21:34:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Len DiMaggio 2006-11-08 20:35:33 UTC 
Description of problem:

The /etc/hosts syntax failure reported in this bz:
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210050) resulted in the
Conga test failure reported in this bz:
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213946)

Also see: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214600

Part of the Conga test failure involved aisexec (openais-0.80.1-11.el5) crashing
- when aisexec tried to write a core file with SELinux=Enforcing, it failed. 

type=AVC msg=audit(1162589191.313:70): avc:  denied  { add_name } for  pid=2071
comm="aisexec" name="core.2071" scontext=system_u:system_r:ricci_modcluster_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
openais-0.80.1-11.el5

How reproducible:
100%

Steps to Reproduce:
1. setenforce Enforcing

2. Recreate the syntax error in /etc/hosts described in:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210050

3. Attempt to create a new cluster via Conga as described in:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213946

Actual results:
aisexec crashes - tries to write core file to /usr/sbin

Expected results:
The core file should be written to the app's working directory - why is it
trying to write to /usr/sbin?

Additional info:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210050
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213946
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214600
Comment 1 Steven Dake 2006-11-09 02:31:10 UTC 
recommend beta blocker.  No cores = no way to debug any field failure.  Patch
available and merged upstream.
Comment 2 Kiersten (Kerri) Anderson 2006-11-09 02:34:34 UTC 
Devel ACK -
Comment 3 Daniel Walsh 2006-11-09 12:54:54 UTC 
There is no way to fix this for SELinux.  I will not allow a binary file to
write to the /usr/sbin directory.  That breaks the concept of SELinux.  We are
trying to  protect the system from binaries writing trojan software and defining
which directory an application is designed to write to.  Currenly we are letting
binaries drop core files in /.  This is where daemons usually drop their cores.
Comment 4 Kiersten (Kerri) Anderson 2006-11-09 13:27:46 UTC 
I am reopening this one.  It isn't against SELinux but against openais.  Openais
needs to change to not dump cores in /usr/sbin.  Patch is already available and
built.
Comment 5 Kiersten (Kerri) Anderson 2006-11-09 13:29:22 UTC 
Marking it as MODIFIED since patch is already available for openais.
Comment 7 Steven Dake 2006-11-09 17:21:12 UTC 
Dan,
The way I fixed this was to dump a core file in /var/run/openais instead.  I
assume this is acceptable by SELinux?

Regards
-steve