Bug 728025
Summary: | postgresql heartbeat resource can't be run by matahari with selinux on | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Matahari | Reporter: | Angus Salkeld <asalkeld> | ||||
Component: | matahari | Assignee: | Perry Myers <pmyers> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Dave Johnson <dajohnso> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | unspecified | CC: | abeekhof, dwalsh, matahari-maint, mgrepl, sdake, whayutin | ||||
Target Milestone: | --- | ||||||
Target Release: | 0.6 | ||||||
Hardware: | Unspecified | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-01-04 16:22:56 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Angus Salkeld
2011-08-04 00:33:11 UTC
Adam, you're our resident selinux expert - could you take a look please? Angus, Could you see if the following gives you a better indication of the problem? cat /var/log/audit/audit.log | audit2allow -w Thanks, Adam (In reply to comment #2) > Angus, > > Could you see if the following gives you a better indication of the problem? > > cat /var/log/audit/audit.log | audit2allow -w > > Thanks, > Adam These below look the most obvious, but there are heaps so I will attach the file. type=AVC msg=audit(1312374486.979:175): avc: denied { open } for pid=1667 comm="pgsql" name="su" dev=dm-1 ino=130125 scontext=system_u:system_r:matahari_serviced_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1312374486.979:175): avc: denied { execute_no_trans } for pid=1667 comm="pgsql" path="/bin/su" dev=dm-1 ino=130125 scontext=system_u:system_r:matahari_serviced_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. Created attachment 516801 [details]
audit2allow output
Dan, It looks like matahari service isn't giving enough access to all these operations reported in the audit2allow output? Seeing as how matahari-service would actually need basically ulimited execution power I dont really know the best way to approach this issue. Thanks Adam The AVC's you are reporting are file_t which means no labels are present. Usually this means you added a disk that does not have labels on it. Running restorecon on the disk will fix the labels. The other avc's in the bug report indicate that matahari_serviced is not transitioning domains to their proper context. If matahari_serviced is supposed to start and stop all services, we have to write that policy. Adding the following policy might fix that problem. # ==================== mymatahari.te ========================================== policy_module(mymatahari, 1.0) gen_require(` type matahari_serviced_t; ') init_spec_domtrans_script(matahari_serviced_t) #=============================================================================== make -f /usr/share/selinux/devel/Makefile # semodule -i mymatahari.pp Angus, Will you test comment #6 and see if the problem persists? If so, make sure to get another audit2allow report. Thanks, Adam Dan, Not sure audit2allow is the right thing to do here. matahari-qmf-serviced could conceivably need to run any script in /etc/init.d which in turn could need to run any binary on the system, it would be analogous to trying to come up with a policy for /sbin/init. Is there any way to run this daemon unconstrained? I can't think of any other path forward that makes sense. init_spec_domtrans_script(matahari_serviced_t) Will allow it to run any script within the init directory but more important then running matahari-qmf-serviced as an unconfined domain is to make sure that all confined applications continue to be confined after marahari restarts them. For example if matahari-qmf-serviced was to restart apache we want the apache to be running as httpd_t not matahari_serviced_t. selinux-policy-3.10.0-18.fc16 Will have the policy described above. I am adding it to RHEL6/F15/F14 Angus, Can you test the latest selinux-policy to see if the problem persists? Thanks, Adam -18 appears broken just as -46 and -52 does. This seems to be a duplicate of 749682 Angus, can you retest with the selinux policy package that is listed in: https://bugzilla.redhat.com/show_bug.cgi?id=749682#c9 as dwalsh thinks that this new selinux package should fix the issue Closing since Angus hasn't complained about this in nearly two months. Angus, please reopen if you're still having issues. |