Bug 678496
| Summary: | ipvsadm pulse and selinux don't play well | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Stuart Auchterlonie <stuart.auchterlonie> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 5.6 | CC: | cluster-maint, dwalsh, mmalik, syeghiay | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-2.4.6-303.el5 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-07-21 09:19:47 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Stuart, could please attach your local policies and also AVC msgs related to this issue. Thank you. Created attachment 483684 [details]
selinux info for starting ipvsadm to sync data.
This contains 3 sets of files.
ipvsadm.* - These relate to trying to start ipvsadm. The configuration is
in "Scenario 2" in the ticket.
pulse.* - These relate to pulse trying to startup and bring up virtual ip's
of various services
nc.* - These relate to our use of nc in a custom health check script.
nc is used to connect to the port and see if something is listening.
This probably isn't required in the base package.
Created attachment 483686 [details]
selinux info for attempting to bring up a failover service (vsftpd)
pulsefos.* - Files relating to attempting to start pulse with a fos configuration.
pulsepidof.* - Files relating to pulse's use of pidof
vsftpdpulse.* - Files relating to pulse attempting to start vsftpd.
vsftpd.* - Files relating to vsftpd running under the piranha_pulse_t
context when started from pulse.
The policies include are generated by audit2allow. As such they
include far more than i'm happy with, especially in pulsefos.*
Regards
Stuart
Stuart, really thanks. It looks like pulse will end up with the similar policy which we have for rgmanager. If I understand correctly, pulse can run various services to failover. Pulse can be used in two different modes. LVS mode where it configures and maintains LVS mapping tables based on the availability of the worker nodes. FOS mode where it is used to failover a service between two nodes. There is plenty of documentation on redhats website :) Regards Stuart Yes, I have checked it. I added fixes to selinux-policy-2.4.6-303.el5 which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html |
Description of problem: There appears to be a lack of selinux policy relating to pulse and ipvsadm in general. Version-Release number of selected component (if applicable): piranha-0.8.4-7.el5 ipvsadm-1.24-8.1 selinux-policy-targeted-2.4.6-300.el5 How reproducible: Always. Steps to Reproduce: Scenario 1: 1. Configure a failover service as follows a. 2 servers b. vsftpd is the service to failover c. a virtual ip address for vsftpd to use. 2. attempt to start pulse After making some local selinux policies with audit2allow to get the service to start, it appears that when vsftpd is started by pulse it inherits the system_u:system_r:piranha_pulse_t context and therefore violates existing ftpd policy. Scenario 2: Configure ipvsadm with the following in /etc/sysconfig/ipvsadm {{{ --start-daemon=backup --mcast-interface=eth1 --start-daemon=master --mcast-interface=eth1 }}} When attempting to start ipvsadm repeated selinux denials are seen. Actual results: observe repeated selinux denials. Expected results: Failover service should startup without selinux denials. Additional info: