Bug 739065

Summary: fence_scsi.key moved from /var/lib/cluster/ to /var/run/cluster/ but SELinux context did not follow
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: medium    
Version: 6.2CC: cluster-maint, dwalsh, rohara
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-targeted-3.7.19-114.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:19:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2011-09-16 13:28:57 UTC 
Description of problem:
more info is at https://fedorahosted.org/pipermail/cluster-commits/2011-March/001843.html

I don't see AVCs as a result of this move now, but they could appear in the future depending on what actions will be performed on that file.

Version-Release number of selected component (if applicable):
selinux-policy-doc-3.7.19-110.el6.noarch
selinux-policy-3.7.19-110.el6.noarch
selinux-policy-minimum-3.7.19-110.el6.noarch
selinux-policy-mls-3.7.19-110.el6.noarch
selinux-policy-targeted-3.7.19-110.el6.noarch

Actual results:
# matchpathcon /var/lib/cluster/fence_scsi.key 
/var/lib/cluster/fence_scsi.key system_u:object_r:cluster_var_lib_t:s0
# matchpathcon /var/run/cluster/fence_scsi.key 
/var/run/cluster/fence_scsi.key system_u:object_r:var_run_t:s0
#
Comment 2 Miroslav Grepl 2011-09-16 13:55:32 UTC 
Who needs to access to this file?
Comment 3 Ryan O'Hara 2011-09-16 22:59:59 UTC 
(In reply to comment #2)
> Who needs to access to this file?

The fence_scsi agent (/usr/sbin/fence_scsi) and potentially the fence_scsi_check watchdog script.
Comment 5 Miroslav Grepl 2011-09-20 12:44:16 UTC 
Ryan,
does it cause an issue? Does it work with SELinux in enforing mode?
Comment 6 Ryan O'Hara 2011-09-23 17:36:48 UTC 
(In reply to comment #5)
> Ryan,
> does it cause an issue? Does it work with SELinux in enforing mode?

I have not seen any issues, but QE needs to give the official answer here.
Comment 8 Ryan O'Hara 2011-09-26 15:19:38 UTC 
I encountered no issues when testing on RHEL6.2.

Note that the files created in /var/run/cluster/ by fence_scsi get the following context in my test:

# ls -Z /var/run/cluster/
-rw-r--r--. root root unconfined_u:object_r:fenced_var_run_t:s0 fence_scsi.dev
-rw-r--r--. root root unconfined_u:object_r:fenced_var_run_t:s0 fence_scsi.key

That does not match what is reported in comment #1.
Comment 9 Miroslav Grepl 2011-09-26 16:19:57 UTC 
Yes, this is ok. But I need to add labeling for it. I didn't realize we have a transition rule for /var/run/cluster directory.

But the /var/run/cluster/fence directory would be nice.
Comment 11 Miroslav Grepl 2011-10-05 05:01:02 UTC 
Fixed in selinux-policy-targeted-3.7.19-114.el6
Comment 14 errata-xmlrpc 2011-12-06 10:19:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html