Bug 215517

Summary: ricci - Need SELinux policy change to handle modstorage accessing fstab and gfs.ko
Product: Red Hat Enterprise Linux 5 Reporter: Len DiMaggio <ldimaggi>
Component: congaAssignee: Jim Parsons <jparsons>
Status: CLOSED CURRENTRELEASE QA Contact: Corey Marthaler <cmarthal>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: cluster-maint, dwalsh, kanderso, kupcevic, rmccabe
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-28 19:40:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Audit log none

Description Len DiMaggio 2006-11-14 14:52:02 UTC 
Description of problem:
ricci - Need SELinux policy change to handle modstorage accessing fstab

Version-Release number of selected component (if applicable):
RHEL5-Server-20061102.2
ricci-0.8-23.el5
selinux-policy-2.4.3-11
selinux-policy-devel-2.4.3-11
selinux-policy-targeted-2.4.3-11

How reproducible:
100%

Steps to Reproduce:
1. Startup ricci service with SELinux=Enforcing or Permissive
2. At luci web app, access the disk storage of the node running ricci
3. Observe the following in the SELinux audit.log:

type=AVC msg=audit(1163515282.660:363): avc:  denied  { write } for  pid=10833
comm="ricci-modstorag" name="fstab" dev=dm-0 ino=3290184
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file

type=AVC msg=audit(1163515282.740:364): avc:  denied  { write } for  pid=10833
comm="ricci-modstorag" name="fstab" dev=dm-0 ino=3290184
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file



The audit.log file is attached to this bz.
  
Actual results:
The AVC messages written to the audit.log

Expected results:
No errors

Additional info:
See attachment.
Comment 1 Len DiMaggio 2006-11-14 14:52:04 UTC 
Created attachment 141152 [details]
Audit log
Comment 2 Jim Parsons 2006-11-14 15:51:34 UTC 
Sorry, Dan - we have another train wreck. mod storage wants to write to
/etc/fstab so that mount info can be persisted.
Comment 3 Len DiMaggio 2006-11-14 21:22:58 UTC 
Package selinux-policy-2.4.3-13.noarch.rpm solves the above problem with /etc/fstab.

I just spotted a new one:

type=AVC msg=audit(1163538757.095:457): avc:  denied  { read } for  pid=9922
comm="modinfo" name="gfs.ko" dev=dm-0 ino=2543171
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1163538757.099:458): avc:  denied  { getattr } for  pid=9922
comm="modinfo" name="gfs.ko" dev=dm-0 ino=2543171
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC_PATH msg=audit(1163538757.099:458): 
path="/lib/modules/2.6.18-1.2740.el5/extra/gfs/gfs.ko"
Comment 4 Daniel Walsh 2006-11-15 13:16:06 UTC 
Fixed in selinux-policy-2.4.4-1
Comment 5 Len DiMaggio 2006-11-15 18:21:11 UTC 
Verified to be fixed in selinux-policy-2.4.4-1 - I'll close the bz when the
policy makes it into a build.
Comment 6 Len DiMaggio 2007-01-23 16:19:57 UTC 
Verifed fix with these packages:

modcluster-0.8-27.el5
selinux-policy-2.4.6-28.el5
selinux-policy-targeted-2.4.6-28.el5