Bug 614796

Summary: openais selinux settings for qpidd
Product: Red Hat Enterprise Linux 5 Reporter: ppecka <ppecka>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: aconway, cluster-maint, edamato, jneedle, mgrepl, mmalik, sdake, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-280.el5 Doc Type: Bug Fix
Doc Text:
With SELinux running in the enforcing mode, an attempt to start the qpidd service when the aisexec was already running failed, and the following error message was written to the qpidd.log: Unexpected error: Timed out waiting for daemon (If store recovery is in progress, use longer wait time) This was caused by SELinux incorrectly denying qpidd the access to OpenAIS. This update corrects the SELinux policy, resolving this issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:49:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
configuration files none

Description ppecka 2010-07-15 09:57:02 UTC 
Created attachment 432014 [details]
configuration files

Description of problem:
SELinux denies QPID access to openais when launching first aisexec and then qpidd as service. 

cat qpidd.log
2010-07-15 05:26:47 info Registered replication exchange
2010-07-15 05:26:47 notice Initializing CPG
2010-07-15 05:27:07 critical Unexpected error: Timed out waiting for daemon (If store recovery is in progress, use longer wait time)




Version-Release number of selected component (if applicable):
rpm -qa | grep -P '(ais|qpid)' | sort -u
openais-0.80.6-16.el5_5.2
openais-devel-0.80.6-16.el5_5.2
python-qpid-0.7.946106-4.el5
qpid-cpp-client-0.7.946106-6.el5
qpid-cpp-client-devel-0.7.946106-6.el5
qpid-cpp-client-devel-docs-0.7.946106-6.el5
qpid-cpp-client-ssl-0.7.946106-6.el5
qpid-cpp-mrg-debuginfo-0.7.946106-6.el5
qpid-cpp-server-0.7.946106-6.el5
qpid-cpp-server-cluster-0.7.946106-6.el5
qpid-cpp-server-devel-0.7.946106-6.el5
qpid-cpp-server-ssl-0.7.946106-6.el5
qpid-cpp-server-store-0.7.946106-6.el5
qpid-cpp-server-xml-0.7.946106-6.el5
qpid-java-client-0.7.946106-5.el5
qpid-java-common-0.7.946106-5.el5
qpid-tests-0.7.946106-1.el5
qpid-tools-0.7.946106-6.el5


Steps to Reproduce:
[configure /etc/qpidd.conf && /etc/ais/openais.conf && /etc/sasl2/qpidd.conf]

service qpidd stop
kill -9 $(pidof qpidd)
>/tmp/qpidd.log;>/tmp/openais.log
rm -rf /var/lib/qpidd/cluster/ /var/lib/qpidd/_cluster* /var/lib/qpidd/rhm
service openais restart
logger qpidd
service qpidd start


Starting Qpid AMQP daemon: Timed out waiting for daemon (If store recovery is in progress, use longer wait time)
[FAILED]

#/var/log/messages
=snip
Jul 15 04:46:13 ibm-ls21-03 setroubleshoot: SELinux is preventing aisexec (aisexec_t) "ipc_owner" to <Unknown> (aisexec_t). For complete SELinux messages. run sealert -l 124f263e-8df8-4144-ad83-2dbc6cf5b6ee
=cut






# sealert -l 124f263e-8df8-4144-ad83-2dbc6cf5b6ee

Summary:

SELinux is preventing aisexec (aisexec_t) "ipc_owner" to <Unknown> (aisexec_t).

Detailed Description:

SELinux denied access requested by aisexec. It is not expected that this access
is required by aisexec and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:aisexec_t
Target Context                root:system_r:aisexec_t
Target Objects                None [ capability ]
Source                        aisexec
Source Path                   /usr/sbin/aisexec
Port                          <Unknown>
Host                          ibm-ls21-03.rhts.eng.bos.redhat.com
Source RPM Packages           openais-0.80.6-16.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     ibm-ls21-03.rhts.eng.bos.redhat.com
Platform                      Linux ibm-ls21-03.rhts.eng.bos.redhat.com
                              2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:39 EDT 2010
                              x86_64 x86_64
Alert Count                   826
First Seen                    Mon Jul 12 11:14:48 2010
Last Seen                     Thu Jul 15 04:46:13 2010
Local ID                      124f263e-8df8-4144-ad83-2dbc6cf5b6ee
Line Numbers                  

Raw Audit Messages            

host=ibm-ls21-03.rhts.eng.bos.redhat.com type=AVC msg=audit(1279183573.736:9822): avc:  denied  { ipc_owner } for  pid=9264 comm="aisexec" capability=15 scontext=root:system_r:aisexec_t:s0 tcontext=root:system_r:aisexec_t:s0 tclass=capability

host=ibm-ls21-03.rhts.eng.bos.redhat.com type=SYSCALL msg=audit(1279183573.736:9822): arch=c000003e syscall=64 success=no exit=-13 a0=5c207a80 a1=3 a2=180 a3=100 items=0 ppid=1 pid=9264 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=492 comm="aisexec" exe="/usr/sbin/aisexec" subj=root:system_r:aisexec_t:s0 key=(null)


  
Actual results:
qpidd fails to join cluster

Expected results:
qpidd should join cluster when selinux mode is Enforcing
Comment 1 Daniel Walsh 2010-07-15 14:18:50 UTC 
Fixed in selinux-policy-2.4.6-280.el5

You guys will have to add this to your module.
Comment 2 Alan Conway 2010-07-15 20:52:37 UTC 
An updated qpidd.pp was sent to mcressmean to be included in the RPM. 
The source qpidd.te was checked in upstream:

http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/etc/selinux/qpidd.te?revision=964551&view=markup&sortby=date
Comment 6 Jeff Needle 2010-07-20 18:31:34 UTC 
The verification was pretty straightforward. qpidd service starts?  Things are fine.  Doesn't start?  Things are broken.
 
Install openais and qpid-cpp-server on a system in Enforcing mode

Configure the cluster and add clustery stuff to /etc/qpidd.conf:

cluster-mechanism=PLAIN
cluster-username=guest
cluster-password=guest
cluster-name=qpid-test-cluster

service openais start
service qpidd start

If the service starts, everything is likely (check for AVCs anyway).  If there is a timeout trying to communicate with openais and AVCs are getting generated, that's a failure.

Affects RHEL5 only (RHEL4 does not support cluster, RHEL6 has qpidd policy), and normally we catch this stuff early on in testing since if it's broken, the service doesn't start and AVCs are generated.
Comment 10 Miroslav Grepl 2010-10-13 08:43:30 UTC 
Milos, 
what process is running as initrc_t?

# ps -eZ | grep initrc
Comment 11 Milos Malik 2010-10-13 09:10:56 UTC 
Here is the culprit:

root:system_r:initrc_t:s0       24456 ?        00:00:00 qpidd
Comment 12 Miroslav Grepl 2010-10-13 12:15:46 UTC 
From the test machine, which Milos set up:

# rpm -qf /usr/share/selinux/packages/qpidd.pp 
qpidd-0.5.752581-42.el5

So the following

http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/etc/selinux/qpidd.te?revision=964551&view=markup&sortby=date

should be added to qpidd.te.

I am switching this bug back to Modified since 

msg=audit(1279183573.736:9822): avc:  denied  { ipc_owner } for  pid=9264
comm="aisexec" capability=15 scontext=root:system_r:aisexec_t:s0
tcontext=root:system_r:aisexec_t:s0 tclass=capability

is fixed in the policy.
Comment 15 Jaromir Hradilek 2011-01-05 16:17:26 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
With SELinux running in the enforcing mode, an attempt to start the qpidd service when the aisexec was already running failed, and the following error message was written to the qpidd.log:

  Unexpected error: Timed out waiting for daemon (If store recovery is in progress, use longer wait time)

This was caused by SELinux incorrectly denying qpidd the access to OpenAIS. This update corrects the SELinux policy, resolving this issue.
Comment 17 errata-xmlrpc 2011-01-13 21:49:57 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html