Bug 746764

Summary: piranha-gui: error opening or creating the lvs.cf configuration file
Product: Red Hat Enterprise Linux 6 Reporter: Ryan O'Hara <rohara>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: cluster-maint, dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-118 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:20:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan O'Hara 2011-10-17 17:47:03 UTC 
Using RHEL 6.2 Beta with piranha-0.8.5-9.el6, piranha-gui reports error:

There was an error opening or creating the lvs.cf configuration file
The most likely cause is that the file permissions are incorrect.
They should be set as follows

-rw-rw----   1 root  piranha	0 Mar 1 12:00 /etc/sysconfig/ha/lvs.cf

You can achieve this by issuing the following 3 commands as root
 touch /etc/sysconfig/ha/lvs.cf
 chmod 660 /etc/sysconfig/ha/lvs.cf
 chown root.piranha /etc/sysconfig/ha/lvs.cf
Additionally, if the problem persists, please confirm that the group
piranha exists in /etc/group and that the Group directive defined in
/etc/sysconfig/ha/conf/httpd.conf is set as piranha. 



Permission/ownership of lvs.cf appears to be correct. The settings in piranha's httpd.conf are also correct.

# ls -al /etc/sysconfig/ha/lvs.cf 
-rw-rw----. 1 root piranha 7390 Aug 11 10:32 /etc/sysconfig/ha/lvs.cf

SELinux is enabled, but there are no AVCs in the audit log that suggest that SELinux is causing this problem.
Comment 2 Ryan O'Hara 2011-10-17 19:17:07 UTC 
I stand corrected. It does appear to be an selinux problem. I'm using selinux-policy-targeted-3.7.19-113.el6.

type=AVC msg=audit(1318878759.072:5850): avc:  denied  { write } for  pid=8575 comm="httpd" name="lvs.cf" dev=dm-0 ino=150000 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1318878759.072:5850): arch=c000003e syscall=2 success=no exit=-13 a0=7fe778fd8588 a1=2 a2=1b6 a3=21 items=0 ppid=8573 pid=8575 auid=0 uid=60 gid=60 euid=60 suid=60 fsuid=60 egid=60 sgid=60 fsgid=60 tty=(none) ses=950 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)

This can be recreated by the following steps.

1. Run piranha-passwd to set password for piranha-gui.
2. Run 'service piranha-gui start'.
3. Login with username 'piranha' and password set in step #1.
Comment 3 Ryan O'Hara 2011-10-17 19:21:34 UTC 
Not sure if this is helpful, but comparing selinux context of lvs.cf on RHEL5 vs RHEL6:

On RHEL5.7:
# ls -Z /etc/sysconfig/ha/lvs.cf
-rw-rw-r--  root piranha system_u:object_r:piranha_etc_rw_t /etc/sysconfig/ha/lvs.cf

On RHEL6.2 Beta:
# ls -Z /etc/sysconfig/ha/lvs.cf 
-rw-rw----. root piranha system_u:object_r:etc_t:s0       /etc/sysconfig/ha/lvs.cf
Comment 4 Miroslav Grepl 2011-10-17 20:54:17 UTC 
Well, I would say this is not a valid bug on RHEL6. 

The policy shows me

/etc/piranha/lvs\.cf        --  gen_context(system_u:object_r:piranha_etc_rw_t,s0)

which I believe is the default location for the config file. You created a new one with the different location. 

Yes, I can add label for it but you will need to run restorecon on it anyways.
Comment 5 Ryan O'Hara 2011-10-17 21:03:05 UTC 
(In reply to comment #4)
> Well, I would say this is not a valid bug on RHEL6. 
> 
> The policy shows me
> 
> /etc/piranha/lvs\.cf        -- 
> gen_context(system_u:object_r:piranha_etc_rw_t,s0)
> 
> which I believe is the default location for the config file. You created a new
> one with the different location. 
> 
> Yes, I can add label for it but you will need to run restorecon on it anyways.

No, I did not create a new config file in a different location. This is the default. It appears the policy is incorrect. The RHEL6 spec file also shows that /etc/sysconfig/ha/ is the correct location.
Comment 6 Miroslav Grepl 2011-10-17 21:05:55 UTC 
Ok, I will fix it. Then I was confused by 

>You can achieve this by issuing the following 3 commands as root
> touch /etc/sysconfig/ha/lvs.cf
> chmod 660 /etc/sysconfig/ha/lvs.cf
> chown root.piranha /etc/sysconfig/ha/lvs.cf
Comment 8 Ryan O'Hara 2011-10-17 21:15:35 UTC 
(In reply to comment #6)
> Ok, I will fix it. Then I was confused by 
> 
> >You can achieve this by issuing the following 3 commands as root
> > touch /etc/sysconfig/ha/lvs.cf
> > chmod 660 /etc/sysconfig/ha/lvs.cf
> > chown root.piranha /etc/sysconfig/ha/lvs.cf

Thanks. Just let me know when a policy is available and I will test it immediately.
Comment 11 Miroslav Grepl 2011-10-18 14:05:24 UTC 
Fixed in selinux-policy-3.7.19-118.el6.noarch

# matchpathcon /etc/sysconfig/ha/lvs.cf
/etc/sysconfig/ha/lvs.cf	system_u:object_r:piranha_etc_rw_t:s0
Comment 16 errata-xmlrpc 2011-12-06 10:20:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html