Bug 631564

Summary: remove boolean for corosync to remove potential for selinux avcs with enforcing mode
Product: Red Hat Enterprise Linux 6 Reporter: Corey Marthaler <cmarthal>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.0CC: cfeist, cluster-maint, ddumas, ebenes, jkortus, mgrepl, mkhusid, mmalik, sdake, syeghiay
Target Milestone: rcKeywords: Reopened, RHELNAK, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-55.el6 Doc Type: Bug Fix
Doc Text:
Previously, the "allow_corosync_rw_tmpfs" boolean allowed third party applications to create, write and read generic tmpfs files. To prevent this, the boolean has been removed, and unless the unconfined policy is disabled, generic tmpfs files can now be managed using Corosync.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:54:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 629274    
Bug Blocks: 636488    
Attachments:
Description Flags
Audit log showing the AVCs none

Description Corey Marthaler 2010-09-07 21:28:26 UTC 
Description of problem:
Sep  7 15:54:56 taft-01 qarshd[5991]: Running cmdline: cman_tool version -r
Sep  7 15:54:57 taft-01 abrt[5994]: saved core dump of pid 4292 (/usr/sbin/corosync) to /var/spool/abrt/ccpp-1283892896-4292.new/coredump (65318912 bytes)
Sep  7 15:54:57 taft-01 abrtd: Directory 'ccpp-1283892896-4292' creation detected
Sep  7 15:54:57 taft-01 dlm_controld[4361]: cluster is down, exiting
Sep  7 15:54:57 taft-01 fenced[4347]: cluster is down, exiting
Sep  7 15:54:57 taft-01 fenced[4347]: daemon cpg_dispatch error 2
Sep  7 15:54:57 taft-01 fenced[4347]: cpg_dispatch error 2
Sep  7 15:54:57 taft-01 dlm_controld[4361]: daemon cpg_dispatch error 2
Sep  7 15:54:57 taft-01 gfs_controld[4381]: cluster is down, exiting
Sep  7 15:54:57 taft-01 abrtd: Crash is in database already (dup of /var/spool/abrt/ccpp-1283463461-2200)
Sep  7 15:54:57 taft-01 abrtd: Deleting crash ccpp-1283892896-4292 (dup of ccpp-1283463461-2200), sending dbus signal
Sep  7 15:54:58 taft-01 xinetd[1710]: EXIT: qarsh status=0 pid=5991 duration=2(sec)
Sep  7 15:55:01 taft-01 kernel: dlm: closing connection to node 4
Sep  7 15:55:01 taft-01 kernel: dlm: closing connection to node 3
Sep  7 15:55:01 taft-01 kernel: dlm: closing connection to node 2
Sep  7 15:55:01 taft-01 kernel: dlm: closing connection to node 1
Sep  7 15:55:01 taft-01 kernel: dlm: clvmd: no userland control daemon, stopping lockspace

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-54.el6.noarch
selinux-policy-targeted-3.7.19-54.el6.noarch
openais-1.1.1-6.el6.x86_64
Comment 1 Corey Marthaler 2010-09-08 16:28:03 UTC 
I attempted an fs relabel, but that failed (segfaulted) and hosed up my machines. I then reinstalled all 4 to the latest tree (RHEL6.0-20100901.0), once again updated the selinux policies, and was again able to recreate this problem. 

[root@taft-01 ~]# rpm -q corosync
corosync-1.2.3-20.el6.x86_64
Comment 2 Steven Dake 2010-09-08 16:35:01 UTC 
The core file from corosync looks like corosync is not allowed to open files via selinux.  There are AVCs in the audit log.  I have attached the audit log.
Comment 3 Steven Dake 2010-09-08 16:37:13 UTC 
Created attachment 446037 [details]
Audit log showing the AVCs
Comment 4 Daniel Walsh 2010-09-08 17:46:01 UTC 
Turn on the allow_corosync_rw_tmpfs boolean

# setsebool -P allow_corosync_rw_tmpfs 1
Comment 5 Steven Dake 2010-09-08 19:03:19 UTC 
Dan,

Question - is this something all deployments will have to do at install time?

Regards
-steve
Comment 6 Daniel Walsh 2010-09-08 19:12:56 UTC 
I don't know.  I don't setup clustering.  In reality the problem here is some random domain is creating a tmpfs_t that we don't know about.  This should not happen.  We can change the booleans default value to on, but this would only affect fresh install machines.
Comment 7 Corey Marthaler 2010-09-09 16:23:06 UTC 
I attempted the setsebool listed in comment #4, and now instead of coredumping, the cmd just hangs.

Sep  8 18:19:07 taft-01 qarshd[4331]: Running cmdline: cman_tool version -r
[HUNG over night]
Comment 8 Corey Marthaler 2010-09-09 16:51:02 UTC 
[root@taft-01 ~]# strace -p 4332
attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted
Comment 9 Steven Dake 2010-09-09 17:02:37 UTC 
Loaded symbols for /lib64/ld-linux-x86-64.so.2
0x0000003bee4a666e in waitpid () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install corosynclib-1.2.3-20.el6.x86_64 glibc-2.12-1.6.el6.x86_64 libxml2-2.7.6-1.el6.x86_64 zlib-1.2.3-25.el6.x86_64
(gdb) where
#0  0x0000003bee4a666e in waitpid () from /lib64/libc.so.6
#1  0x0000003bee43e6e9 in do_system () from /lib64/libc.so.6
#2  0x00000000004032e4 in version (comline=0x7fff53d97880)
    at /usr/src/debug/cluster-3.0.12/cman/cman_tool/main.c:799
#3  0x0000000000404b4f in main (argc=<value optimized out>, 
    argv=<value optimized out>, envp=0x7fff53d97b28)
    at /usr/src/debug/cluster-3.0.12/cman/cman_tool/main.c:1250
(gdb) up
#1  0x0000003bee43e6e9 in do_system () from /lib64/libc.so.6
(gdb) up
#2  0x00000000004032e4 in version (comline=0x7fff53d97880)
    at /usr/src/debug/cluster-3.0.12/cman/cman_tool/main.c:799
799			result = system("/usr/bin/ccs_sync");


Looks like cman_tool is blocked inside waitpid.  In this case, ccs_sync is not finishing, blocking the cman_tool from finishing.
Comment 10 Steven Dake 2010-09-09 17:46:14 UTC 
ricci is not compiled with debug symbols.  That needs to be fixed.  Here is the backtrace of ccs_sync blocking on ricci (libs?).  This causes cman_tool to block in waitpid, causing comment #7.

0x0000003bee4d41d0 in __read_nocancel () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.6.el6.x86_64 libxml2-2.7.6-1.el6.x86_64 nspr-4.8.6-1.el6.x86_64 nss-3.12.7-2.el6.x86_64 nss-softokn-3.12.7-1.1.el6.x86_64 nss-softokn-freebl-3.12.7-1.1.el6.x86_64 nss-util-3.12.7-1.el6.x86_64 sqlite-3.6.20-1.el6.x86_64 zlib-1.2.3-25.el6.x86_64
(gdb) where
#0  0x0000003bee4d41d0 in __read_nocancel () from /lib64/libc.so.6
#1  0x0000003bee471538 in _IO_new_file_underflow () from /lib64/libc.so.6
#2  0x0000003bee4676b1 in getdelim () from /lib64/libc.so.6
#3  0x0000003bee4dce52 in getpass () from /lib64/libc.so.6
#4  0x000000000040345c in ricci_conn_handler_want_send_auth ()
#5  0x0000000000402056 in main ()
Comment 11 Steven Dake 2010-09-09 18:34:51 UTC 
btw getpass is deprecated and has been removed from any posix standards.

GETPASS(3)                 Linux Programmer’s Manual                GETPASS(3)

NAME
       getpass - get a password

SYNOPSIS
       #include <unistd.h>

       char *getpass( const char *prompt);

DESCRIPTION
       This function is obsolete.  Do not use it.
CONFORMING TO
       Present in SUSv2, but marked LEGACY.  Removed in POSIX.1-2001.
Comment 12 Corey Marthaler 2010-09-09 23:07:47 UTC 
it's not hung in comment #7, it's just waiting for the initial passwd (which i didn't see any output for in our auto scripts). the original issue appears to be fixed with setsebool.
Comment 13 Corey Marthaler 2010-09-09 23:09:48 UTC 
the setsebool required should probably be in tech notes somewhere.
Comment 15 Steven Dake 2010-09-10 22:55:43 UTC 
Corey,

Regarding comment #13, I believe our plan of action at this point is to remove the boolean entirely which will remove the selinux AVCs from components connecting to corosync.  Dan can handle bz from here and we should test the zero day errata he suggests with the full stack on a clean install.

Regards
-steve
Comment 16 RHEL Program Management 2010-09-10 22:57:55 UTC 
Thank you for your bug report. This issue was evaluated for inclusion
in the current release of Red Hat Enterprise Linux. Unfortunately, we
are unable to address this request in the current release. Because we
are in the final stage of Red Hat Enterprise Linux 6 development, only
significant, release-blocking issues involving serious regressions and
data corruption can be considered.

If you believe this issue meets the release blocking criteria as
defined and communicated to you by your Red Hat Support representative,
please ask your representative to file this issue as a blocker for the
current release. Otherwise, ask that it be evaluated for inclusion in
the next minor release of Red Hat Enterprise Linux.
Comment 17 Miroslav Grepl 2010-09-13 09:30:42 UTC 
Could it be a problem with qarshd? 

Corey, 
how did you start cman?

service cman start 

or

qarsh hostname service cman start
Comment 18 Daniel Walsh 2010-09-13 14:01:43 UTC 
Miroslav we want to remove the boolean because third party apps could create the tmpfs_t files.  I was thinking we could change it to be allowed unless the unoconfined policy was disabled.
Comment 19 Daniel Walsh 2010-09-13 14:07:38 UTC 
Not quite kosher but something like

optional_policy(`
	gen_require(`
		attribute unconfined_services;
	')	

	fs_manage_tmpfs_files(corosync_t)
	init_manage_script_status_files(corosync_t)
')

########################################
## <summary>
##	Manage init script
##	status files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`init_manage_script_status_files',`
	gen_require(`
		type initrc_state_t;
	')

	manage_files_pattern($1, initrc_state_t, initrc_state_t)
')
Comment 20 Miroslav Grepl 2010-09-13 14:25:17 UTC 
Ok, it will work.
Comment 24 Miroslav Grepl 2010-09-16 15:56:07 UTC 
Fixed in selinux-policy-3.7.19-55.el6.noarch.
Comment 25 Steven Dake 2010-09-16 17:05:19 UTC 
*** Bug 634557 has been marked as a duplicate of this bug. ***
Comment 28 Jaromir Hradilek 2010-10-14 12:08:45 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, the "allow_corosync_rw_tmpfs" boolean allowed third party applications to create, write and read generic tmpfs files. To prevent this, the boolean has been removed, and unless the unconfined policy is disabled, generic tmpfs files can now be managed using Corosync.
Comment 31 errata-xmlrpc 2011-05-19 11:54:53 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html