Bug 738529
Summary: | SELinux prevents sanlock work | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Alex Jia <ajia> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.2 | CC: | berrange, dwalsh, dyuan, mmalik, mzhan, rwu |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-112.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 10:18:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alex Jia
2011-09-15 05:48:55 UTC
Does it work if you execute # grep sanlock /var/log/audit/audit.log |audit2allow -M sanlock # semodule -i sanlock.pp # grep sanlock /var/log/audit/audit.log |audit2allow -M sanlock ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i sanlock.pp [root@localhost ~]# semodule -i sanlock.pp libsepol.print_missing_requirements: sanlock's global requirements were not met: type/attribute sanlock_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Alex You can not name a package with the same name as the module. Miroslav meant to say. # grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock # semodule -i mysanlock.pp (In reply to comment #3) > You can not name a package with the same name as the module. > > Miroslav meant to say. > > # grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock > # semodule -i mysanlock.pp Yeah, sanlock works well now based on above steps, Daniel, thanks for your comment. Alex Oops, my bad. This should be fixed in the latest -111.el6 policy release which is available from brew for testing. The above issues have been resolved on selinux-policy-3.7.19-112.el6.noarch, but I met another issue when I create or destroy a guest, for details, please refer to https://bugzilla.redhat.com/show_bug.cgi?id=735442. When I tried the following operations, I met bug 738188 again, maybe I shouldn't do this: # grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock # semodule -i mysanlock.pp # virsh create /root/demo1.xml Domain demo1 created from /root/demo1.xml # grep AVC /var/log/audit/audit.log type=AVC msg=audit(1317200388.275:103): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process # virsh destroy demo1 Domain demo1 destroyed # grep AVC /var/log/audit/audit.log type=AVC msg=audit(1317200388.275:103): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process type=AVC msg=audit(1317200460.170:128): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c115,c277 tclass=process # grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mysanlock.pp # semodule -i mysanlock.pp # virsh create /root/demo1.xml error: Failed to create domain from /root/demo1.xml error: internal error Failed to open socket to sanlock daemon: Operation not permitted # grep AVC /var/log/audit/audit.log type=AVC msg=audit(1317200388.275:103): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process type=AVC msg=audit(1317200460.170:128): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c115,c277 tclass=process type=AVC msg=audit(1317201002.861:176): avc: denied { connectto } for pid=19911 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c381,c588 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket Additional information: SELinux is preventing /usr/sbin/sanlock from using the sigkill access on a process. Additional Information: Source Context unconfined_u:system_r:sanlock_t:s0 Target Context system_u:system_r:svirt_t:s0:c555,c634 Target Objects Unknown [ process ] Source sanlock Source Path /usr/sbin/sanlock Port <Unknown> Host localhost.localdomain Source RPM Packages sanlock-1.7-4.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-112.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.32-193.el6.x86_64 #1 SMP Mon Aug 29 11:19:20 EDT 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 28 Sep 2011 05:01:33 PM CST Last Seen Wed 28 Sep 2011 05:01:33 PM CST Local ID e0ce778a-e0cc-4505-a62e-69bd5d7dd79a Raw Audit Messages type=AVC msg=audit(1317200493.494:153): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c555,c634 tclass=process type=SYSCALL msg=audit(1317200493.494:153): arch=x86_64 syscall=kill success=yes exit=0 a0=4d33 a1=9 a2=7f5a49920148 a3=1 items=0 ppid=1 pid=19505 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=sanlock exe=/usr/sbin/sanlock subj=unconfined_u:system_r:sanlock_t:s0 key=(null) Hash: sanlock,sanlock_t,svirt_t,process,sigkill audit2allow #============= sanlock_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow sanlock_t svirt_t:process sigkill; audit2allow -R #============= sanlock_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow sanlock_t svirt_t:process sigkill; Miroslav we need to run sanlock ranged, just like virtd_t. ifdef(`enable_mcs',` init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh) ') Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |