Bug 738529

Summary: SELinux prevents sanlock work
Product: Red Hat Enterprise Linux 6 Reporter: Alex Jia <ajia>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.2CC: berrange, dwalsh, dyuan, mmalik, mzhan, rwu
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-112.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:18:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Jia 2011-09-15 05:48:55 UTC 
Description of problem:
virt-sanlock-cleanup command can be successfully executed, however, the sanlock daemon will release the lease due to selinux issue.

In fact, virt-sanlock-cleanup will call 'sanlock client command -r' command.


Version-Release number of selected component (if applicable):
# uname -r
2.6.32-193.el6.x86_64

# rpm -q libvirt
libvirt-0.9.4-11.el6.x86_64

# rpm -q libvirt-lock-sanlock
libvirt-lock-sanlock-0.9.4-11.el6.x86_64 (virt-sanlock-cleanup)

# rpm -q sanlock
sanlock-1.7-4.el6.x86_64

# rpm -q selinux-policy
selinux-policy-3.7.19-109.el6.noarch

How reproducible:
Always.

Steps to Reproduce:
1. please refer to Comment 7 from bug 735442(to generate lease file)
   # ll -aZ /var/lib/libvirt/sanlock
   drwx------. root root system_u:object_r:virt_var_lib_t:s0 .
   drwxr-xr-x. root root system_u:object_r:virt_var_lib_t:s0 ..
   -rw-------. root root unconfined_u:object_r:virt_var_lib_t:s0   9ba8f0215a51a6dc0aa077c427b749c8
   -rw-------. root root unconfined_u:object_r:virt_var_lib_t:s0 __LIBVIRT__DISKS__

2. run virt-sanlock-cleanup
3. grep AVC /var/log/audit/audit.log
  
Actual results:
# grep AVC /var/log/audit/audit.log |tail -4

type=AVC msg=audit(1316063927.519:48994): avc:  denied  { search } for  pid=25420 comm="sanlock" name="libvirt" dev=sda9 ino=3015123 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir

type=AVC msg=audit(1316063927.519:48994): avc:  denied  { read write } for  pid=25420 comm="sanlock" name="9ba8f0215a51a6dc0aa077c427b749c8" dev=sda9 ino=131283 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file

type=AVC msg=audit(1316063927.519:48994): avc:  denied  { open } for  pid=25420 comm="sanlock" name="9ba8f0215a51a6dc0aa077c427b749c8" dev=sda9 ino=131283 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file

type=AVC msg=audit(1316063927.519:48995): avc:  denied  { getattr } for  pid=25420 comm="sanlock" path="/var/lib/libvirt/sanlock/9ba8f0215a51a6dc0aa077c427b749c8" dev=sda9 ino=131283 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file


Expected results:
Fix it.

Additional info:
Comment 1 Miroslav Grepl 2011-09-15 11:30:33 UTC 
Does it work if you execute

# grep sanlock /var/log/audit/audit.log |audit2allow -M sanlock
# semodule -i sanlock.pp
Comment 2 Alex Jia 2011-09-16 14:44:23 UTC 
# grep sanlock /var/log/audit/audit.log |audit2allow -M sanlock
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i sanlock.pp

[root@localhost ~]# semodule -i sanlock.pp
libsepol.print_missing_requirements: sanlock's global requirements were not met: type/attribute sanlock_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!


Alex
Comment 3 Daniel Walsh 2011-09-16 15:52:34 UTC 
You can not name a package with the same name as the module.

Miroslav meant to say.

# grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock
# semodule -i mysanlock.pp
Comment 4 Alex Jia 2011-09-16 16:42:54 UTC 
(In reply to comment #3)
> You can not name a package with the same name as the module.
> 
> Miroslav meant to say.
> 
> # grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock
> # semodule -i mysanlock.pp

Yeah, sanlock works well now based on above steps, Daniel, thanks for your comment.

Alex
Comment 5 Miroslav Grepl 2011-09-16 21:30:48 UTC 
Oops, my bad.

This should be fixed in the latest -111.el6 policy release which is available from brew for testing.
Comment 7 Alex Jia 2011-09-28 09:17:31 UTC 
The above issues have been resolved on selinux-policy-3.7.19-112.el6.noarch, but I met another issue when I create or destroy a guest, for details, please refer to https://bugzilla.redhat.com/show_bug.cgi?id=735442.

When I tried the following operations, I met bug 738188 again, maybe I shouldn't do this:

# grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock
# semodule -i mysanlock.pp


# virsh create /root/demo1.xml
Domain demo1 created from /root/demo1.xml

# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1317200388.275:103): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process

# virsh destroy demo1
Domain demo1 destroyed

# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1317200388.275:103): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process
type=AVC msg=audit(1317200460.170:128): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c115,c277 tclass=process

# grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mysanlock.pp

# semodule -i mysanlock.pp
# virsh create /root/demo1.xml
error: Failed to create domain from /root/demo1.xml
error: internal error Failed to open socket to sanlock daemon: Operation not permitted

# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1317200388.275:103): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process
type=AVC msg=audit(1317200460.170:128): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c115,c277 tclass=process
type=AVC msg=audit(1317201002.861:176): avc:  denied  { connectto } for  pid=19911 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c381,c588 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket


Additional information:

SELinux is preventing /usr/sbin/sanlock from using the sigkill access on a process.

Additional Information:
Source Context                unconfined_u:system_r:sanlock_t:s0
Target Context                system_u:system_r:svirt_t:s0:c555,c634
Target Objects                Unknown [ process ]
Source                        sanlock
Source Path                   /usr/sbin/sanlock
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           sanlock-1.7-4.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-112.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.32-193.el6.x86_64
                              #1 SMP Mon Aug 29 11:19:20 EDT 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 28 Sep 2011 05:01:33 PM CST
Last Seen                     Wed 28 Sep 2011 05:01:33 PM CST
Local ID                      e0ce778a-e0cc-4505-a62e-69bd5d7dd79a

Raw Audit Messages
type=AVC msg=audit(1317200493.494:153): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c555,c634 tclass=process


type=SYSCALL msg=audit(1317200493.494:153): arch=x86_64 syscall=kill success=yes exit=0 a0=4d33 a1=9 a2=7f5a49920148 a3=1 items=0 ppid=1 pid=19505 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=sanlock exe=/usr/sbin/sanlock subj=unconfined_u:system_r:sanlock_t:s0 key=(null)

Hash: sanlock,sanlock_t,svirt_t,process,sigkill

audit2allow

#============= sanlock_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow sanlock_t svirt_t:process sigkill;

audit2allow -R

#============= sanlock_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow sanlock_t svirt_t:process sigkill;
Comment 8 Daniel Walsh 2011-09-28 15:37:40 UTC 
Miroslav we need to run sanlock ranged, just like virtd_t.

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
')

ifdef(`enable_mls',`
	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh)
')
Comment 10 errata-xmlrpc 2011-12-06 10:18:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html