Bug 727160

Summary: SELinux is preventing /bin/bash from write access on the directory cluster.
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: cmarthal, dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-106.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:10:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2011-08-01 13:03:45 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
cman-3.0.12.1-7.el6.i686
selinux-policy-3.7.19-105.el6.noarch
selinux-policy-minimum-3.7.19-105.el6.noarch
selinux-policy-mls-3.7.19-105.el6.noarch
selinux-policy-targeted-3.7.19-105.el6.noarch

How reproducible:
always

Steps to Reproduce:
* run following automated test:
/CoreOS/selinux-policy/Regression/bz271561-corosync-and-similar
  
Actual results:
----
time->Mon Aug  1 14:54:24 2011
type=SYSCALL msg=audit(1312203264.437:19292): arch=40000003 syscall=5 success=no exit=-13 a0=952eab8 a1=8241 a2=1b6 a3=0 items=0 ppid=29898 pid=29900 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="ccs_update_sche" exe="/bin/bash" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1312203264.437:19292): avc:  denied  { write } for  pid=29900 comm="ccs_update_sche" name="cluster" dev=dm-0 ino=57629 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=dir
----

Expected results:
* no AVCs
Comment 4 Miroslav Grepl 2011-08-02 06:43:24 UTC 
Fixed in selinux-policy-3.7.19-106.el6.noarch
Comment 6 Miroslav Grepl 2011-08-03 21:56:13 UTC 
*** Bug 727928 has been marked as a duplicate of this bug. ***
Comment 8 Corey Marthaler 2011-08-16 19:42:17 UTC 
This issue appears to have regressed in selinux-policy-3.7.19-107.el6.noarch.

[root@taft-01 ~]# rpm -q selinux-policy
selinux-policy-3.7.19-107.el6.noarch
[cmarthal@silver bin]$ qarsh root\@taft-01 cman_tool version -r
Unable to update relaxng schema: /usr/sbin/ccs_update_schema: line 375: /var/lib/cluster/rng_update.lock: Permission denied
cman_tool: Not reloading, generic error running ccs_config_validate
Try re-running with -d options


[root@taft-01 ~]# rpm -Uvh --force http://download.devel.redhat.com/brewroot///////////////////////packages/selinux-policy/3.7.19/106.el6/noarch/selinux-policy-3.7.19-106.el6.noarch.rpm http://download.devel.redhat.com/brewroot///////////////////////packages/selinux-policy/3.7.19/106.el6/noarch/selinux-policy-targeted-3.7.19-106.el6.noarch.rpm
Retrieving http://download.devel.redhat.com/brewroot///////////////////////packages/selinux-policy/3.7.19/106.el6/noarch/selinux-policy-3.7.19-106.el6.noarch.rpm
Retrieving http://download.devel.redhat.com/brewroot///////////////////////packages/selinux-policy/3.7.19/106.el6/noarch/selinux-policy-targeted-3.7.19-106.el6.noarch.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy         ########################################### [ 50%]
   2:selinux-policy-targeted########################################### [100%]

[root@taft-01 ~]#  rpm -q selinux-policy
selinux-policy-3.7.19-106.el6.noarch
[cmarthal@silver bin]$ qarsh root\@taft-01 cman_tool version -r
[cmarthal@silver bin]$
Comment 9 Miroslav Grepl 2011-08-22 08:15:57 UTC 
What AVC are you getting with selinux-policy-3.7.19-107.el6.noarch?
Comment 11 errata-xmlrpc 2011-12-06 10:10:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html