Bug 720939

Summary: Various AVC denied for initrc_t:unix_stream_socket { read write }
Product: Red Hat Enterprise Linux 6 Reporter: Robert Scheck <redhat-bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, mmalik, robert.scheck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-105.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 720949 (view as bug list) Environment:
Last Closed: 2011-12-06 10:09:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 720949    
Attachments:
Description Flags
Initial hearbeat policy none

Description Robert Scheck 2011-07-13 10:01:59 UTC 
Description of problem:
I'm a bit irritated if this is a SELinux issue or a Heartbeat issue/bug:
Getting various AVC denied for initrc_t:unix_stream_socket { read write },
e.g.:

#============= logrotate_t ==============
allow logrotate_t initrc_t:unix_stream_socket { read write };

#============= logwatch_t ==============
allow logwatch_t initrc_t:unix_stream_socket { read write };

#============= prelink_cron_system_t ==============
allow prelink_cron_system_t initrc_t:unix_stream_socket { read write };

#============= system_mail_t ==============
allow system_mail_t initrc_t:unix_stream_socket { read write };

#============= webalizer_t ==============
allow webalizer_t initrc_t:unix_stream_socket { read write };

I have to mention that crond was started via heartbeat and everything above
results from a cronjob from what I can see. Heartbeat uses the regular cron
initscript as provided with the RPM package.

Here are some "ps auxZ" for cron and initrc_t:

unconfined_u:system_r:crond_t:s0-s0:c0.c1023 root 3609 0.0  0.0 20340 1352 ?   Ss   Jul12   0:00 crond
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 13756 0.0  0.0 105304 924 pts/0 S+ 11:58   0:00 grep cron

system_u:system_r:initrc_t:s0   root      1647  0.0  0.0 108456  1736 ?        Ss   Jul12   0:00 /bin/bash /etc/rc.d/rc 3
system_u:system_r:initrc_t:s0   root      2509  0.0  0.0 108192  1468 ?        S    Jul12   0:00 /bin/bash /etc/rc3.d/S70drbd start
system_u:system_r:initrc_t:s0   root      2587  0.0  0.0   4312   924 ?        S    Jul12   0:02 /sbin/drbdadm wait-con-int
system_u:system_r:initrc_t:s0   root      2589  0.0  0.0   4104   636 ?        S    Jul12   0:00 /sbin/drbdsetup 0 wait-connect --degr-wfc-timeout=120
system_u:system_r:initrc_t:s0   root      2590  0.0  0.0   4104   636 ?        S    Jul12   0:00 /sbin/drbdsetup 1 wait-connect --degr-wfc-timeout=120
unconfined_u:system_r:initrc_t:s0 root    2886  0.0  0.0  52584  7584 ?        SLs  Jul12   0:26 heartbeat: master control process
unconfined_u:system_r:initrc_t:s0 root    2888  0.0  0.0  52000  7000 ?        SL   Jul12   0:01 heartbeat: FIFO reader        
unconfined_u:system_r:initrc_t:s0 root    2889  0.3  0.0  51996  6996 ?        SL   Jul12   3:46 heartbeat: write: ucast em2   
unconfined_u:system_r:initrc_t:s0 root    2890  0.0  0.0  51996  6996 ?        SL   Jul12   0:00 heartbeat: read: ucast em2    
unconfined_u:system_r:initrc_t:s0 root    2891  0.0  0.0  51996  6996 ?        SL   Jul12   0:04 heartbeat: write: ping 91.196.144.1
unconfined_u:system_r:initrc_t:s0 root    2892  0.0  0.0  51996  6996 ?        SL   Jul12   0:02 heartbeat: read: ping 91.196.144.1
unconfined_u:system_r:initrc_t:s0 498     2894  0.0  0.0  36272  1424 ?        S    Jul12   0:02 /usr/lib64/heartbeat/ipfail
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 13758 0.0  0.0 105304 924 pts/0 S+ 11:59   0:00 grep initrc_t

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6.noarch
selinux-policy-targeted-3.7.19-93.el6.noarch
heartbeat-3.0.4-1.el6.x86_64

Actual results:
Various AVC denied for initrc_t:unix_stream_socket { read write }.

Expected results:
No AVC denied for initrc_t:unix_stream_socket { read write }.

Additional info:
I know heartbeat is not a part of RHEL, the package is from EPEL. And I can
not exclude that this is a heartbeat issue. But it would help to know, if it
is a SELinux issue or not.
Comment 2 Miroslav Grepl 2011-07-13 10:27:42 UTC 
These are leak file descriptors.

Also we have drbd policy in Fedora and looks like we also need a policy for heartbeat.
Comment 3 Daniel Walsh 2011-07-13 12:52:08 UTC 
Is heartbeat leaking or is it the cron job?
Comment 4 Robert Scheck 2011-07-13 12:55:35 UTC 
I would assume this is heartbeat, because I think you would have gotten lots
of reports if either the crond or e.g. logrotate/prelink/webalizer causes the 
issue.
Comment 5 Robert Scheck 2011-07-14 10:43:08 UTC 
I've cross-filed this issue as Service Request 506720.
Comment 6 Miroslav Grepl 2011-07-25 13:23:57 UTC 
(In reply to comment #5)
> I've cross-filed this issue as Service Request 506720.

Ok. I will backport drbd policy from Fedora.
Comment 7 Miroslav Grepl 2011-07-27 13:30:35 UTC 
Fixed in selinux-policy-3.7.19-105.el6
Comment 10 Robert Scheck 2011-08-06 14:06:45 UTC 
Miroslav? May you let me know what the source code fix for this issue is?
Your colleagues keep asking for a sosreport which doesn't really make sense
for them, I think.

I'm also wondering why you backported the drbd policy from Fedora, because
drbd doesn't start/stop these services, but heartbeat does. Shouldn't there
be simply a "dontaudit" for the services with leaked file descriptors?
Comment 11 Miroslav Grepl 2011-08-08 12:59:57 UTC 
They needs to close file descriptors on exec.

fcntl(fd, F_SETFD, FD_CLOEXEC)

Yes, I added drbd policy because the drbd daemon was running as initrc_t domain. This means a daemon is not confined by SELinux. And we have this policy in Fedora.

A new hearbeat policy needs to be created.
Comment 12 Miroslav Grepl 2011-08-08 13:40:00 UTC 
Robert,
could add your output of

# ps -efZ |grep heartbeat
Comment 13 Robert Scheck 2011-08-08 13:45:07 UTC 
# ps -efZ |grep heartbeat
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3209 3177  0 15:43 pts/0 00:00:00 grep heartbeat
unconfined_u:system_r:initrc_t:s0 root    7052     1  0 Aug05 ?        00:02:23 heartbeat: master control process
unconfined_u:system_r:initrc_t:s0 root    7055  7052  0 Aug05 ?        00:00:05 heartbeat: FIFO reader
unconfined_u:system_r:initrc_t:s0 root    7056  7052  0 Aug05 ?        00:00:08 heartbeat: write: ucast em2
unconfined_u:system_r:initrc_t:s0 root    7057  7052  0 Aug05 ?        00:00:05 heartbeat: read: ucast em2
unconfined_u:system_r:initrc_t:s0 root    7058  7052  0 Aug05 ?        00:00:17 heartbeat: write: ping 91.196.144.1
unconfined_u:system_r:initrc_t:s0 root    7059  7052  0 Aug05 ?        00:00:16 heartbeat: read: ping 91.196.144.1
unconfined_u:system_r:initrc_t:s0 root    7060  7052  0 Aug05 ?        00:00:18 heartbeat: write: ping 172.16.32.5
unconfined_u:system_r:initrc_t:s0 root    7061  7052  0 Aug05 ?        00:00:17 heartbeat: read: ping 172.16.32.5
unconfined_u:system_r:initrc_t:s0 498     7065  7052  0 Aug05 ?        00:00:07 /usr/lib64/heartbeat/ipfail
#
Comment 14 Miroslav Grepl 2011-08-08 13:57:49 UTC 
Created attachment 517225 [details]
Initial hearbeat policy

Here is the initial heartbeat policy.

tar xvf /tmp/heartbeat.tgz
cd /tmp/
sh heartbeat.sh

echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
service auditd restart

service heartbeat restart

And start collecting AVC's
Comment 16 errata-xmlrpc 2011-12-06 10:09:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html