Bug 733656

Summary:	cluster-related denials in 6.2 policy
Product:	Red Hat Enterprise Linux 6	Reporter:	Jaroslav Kortus <jkortus>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED DUPLICATE	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.2	CC:	dwalsh, mmalik
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-08-26 13:42:43 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jaroslav Kortus 2011-08-26 11:36:30 UTC

Description of problem:
Following denials are produced during service cman start (this list is after fresh boot + autorelabel):
----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.402:46): arch=c000003e syscall=2 success=yes exit=3 a0=e055f0 a1=241 a2=1b6 a3=fffffffffffffff0 items=0 ppid=2470 pid=2472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ccs_update_sche" exe="/bin/bash" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.402:46): avc:  denied  { write } for  pid=2472 comm="ccs_update_sche" name="rng_update.lock" dev=dm-0 ino=923460 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314358027.402:46): avc:  denied  { create } for  pid=2472 comm="ccs_update_sche" name="rng_update.lock" scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314358027.402:46): avc:  denied  { add_name } for  pid=2472 comm="ccs_update_sche" name="rng_update.lock" scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1314358027.402:46): avc:  denied  { write } for  pid=2472 comm="ccs_update_sche" name="cluster" dev=dm-0 ino=923462 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=dir
----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.425:47): arch=c000003e syscall=21 success=yes exit=0 a0=1002858 a1=1 a2=7fff1f62f280 a3=100 items=0 ppid=2475 pid=2476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="find" exe="/bin/find" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.425:47): avc:  denied  { execute } for  pid=2476 comm="find" name="SAPInstance" dev=dm-0 ino=923715 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.522:48): arch=c000003e syscall=4 success=yes exit=0 a0=7fff8623fdf9 a1=200b010 a2=200b010 a3=1b items=0 ppid=2472 pid=2490 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ls" exe="/bin/ls" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.522:48): avc:  denied  { getattr } for  pid=2490 comm="ls" path="/usr/sbin/fence_node" dev=dm-0 ino=397492 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:fenced_exec_t:s0 tclass=file
----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.645:49): arch=c000003e syscall=2 success=yes exit=3 a0=e157a0 a1=90800 a2=0 a3=12 items=0 ppid=2470 pid=2472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ccs_update_sche" exe="/bin/bash" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.645:49): avc:  denied  { read } for  pid=2472 comm="ccs_update_sche" name="cluster" dev=dm-0 ino=923462 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=dir
----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.647:50): arch=c000003e syscall=2 success=yes exit=4 a0=181e3e0 a1=c1 a2=180 a3=6165726373662f72 items=0 ppid=2472 pid=2507 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.647:50): avc:  denied  { write } for  pid=2507 comm="cp" name="cluster.rng" dev=dm-0 ino=1848544 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314358027.647:50): avc:  denied  { create } for  pid=2507 comm="cp" name="cluster.rng" scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=file
----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.653:51): arch=c000003e syscall=280 success=yes exit=0 a0=4 a1=0 a2=7fffc86293b0 a3=0 items=0 ppid=2472 pid=2507 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.653:51): avc:  denied  { setattr } for  pid=2507 comm="cp" name="cluster.rng" dev=dm-0 ino=1848544 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=file
----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.653:52): arch=c000003e syscall=190 success=yes exit=0 a0=4 a1=7fffc8629350 a2=181e460 a3=27 items=0 ppid=2472 pid=2507 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.653:52): avc:  denied  { relabelto } for  pid=2507 comm="cp" name="cluster.rng" dev=dm-0 ino=1848544 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314358027.653:52): avc:  denied  { relabelfrom } for  pid=2507 comm="cp" name="cluster.rng" dev=dm-0 ino=1848544 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=file
----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.654:53): arch=c000003e syscall=280 success=yes exit=0 a0=4 a1=0 a2=7fffc8629280 a3=0 items=0 ppid=2472 pid=2507 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.654:53): avc:  denied  { setattr } for  pid=2507 comm="cp" name="rng_update.lock" dev=dm-0 ino=1848549 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file

----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.654:54): arch=c000003e syscall=190 success=yes exit=0 a0=4 a1=7fffc8629220 a2=181e860 a3=2b items=0 ppid=2472 pid=2507 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.654:54): avc:  denied  { relabelto } for  pid=2507 comm="cp" name="rng_update.lock" dev=dm-0 ino=1848549 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314358027.654:54): avc:  denied  { relabelfrom } for  pid=2507 comm="cp" name="rng_update.lock" dev=dm-0 ino=1848549 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file
----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.655:55): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=19080f0 a2=0 a3=20 items=0 ppid=2472 pid=2508 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="rm" exe="/bin/rm" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.655:55): avc:  denied  { unlink } for  pid=2508 comm="rm" name="fence_agents.rng.cache" dev=dm-0 ino=923459 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314358027.655:55): avc:  denied  { remove_name } for  pid=2508 comm="rm" name="fence_agents.rng.cache" dev=dm-0 ino=923459 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:cluster_var_lib_t:s0 tclass=dir
----
time->Fri Aug 26 06:27:07 2011
type=SYSCALL msg=audit(1314358027.658:56): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=21590f0 a2=0 a3=20 items=0 ppid=2472 pid=2511 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="rm" exe="/bin/rm" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314358027.658:56): avc:  denied  { unlink } for  pid=2511 comm="rm" name="rng_update.lock" dev=dm-0 ino=923460 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file
----
time->Fri Aug 26 06:27:12 2011
type=SYSCALL msg=audit(1314358032.154:57): arch=c000003e syscall=2 success=yes exit=14 a0=7ffffcde13f0 a1=2 a2=7ffffcde140f a3=ffffffe2 items=0 ppid=1 pid=2601 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=unconfined_u:system_r:dlm_controld_t:s0 key=(null)
type=AVC msg=audit(1314358032.154:57): avc:  denied  { read write } for  pid=2601 comm="dlm_controld" scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1314358032.154:57): avc:  denied  { search } for  pid=2601 comm="dlm_controld" scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-107.el6.noarch

Comment 2 Miroslav Grepl 2011-08-26 13:42:43 UTC


*** This bug has been marked as a duplicate of bug 733337 ***