Bug 747300

Summary: pulse is leaking a file descriptor
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: piranhaAssignee: Ryan O'Hara <rohara>
Status: CLOSED ERRATA QA Contact: Cluster QE <mspqa-list>
Severity: low Docs Contact:
Priority: low    
Version: 6.2CC: cluster-maint, dwalsh, mjuricek
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: piranha-0.8.5-11.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 14:17:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 756082    
Attachments:
Description Flags
Close fd after reading configuration file none

Description Milos Malik 2011-10-19 12:45:34 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-minimum-3.7.19-118.el6.noarch
selinux-policy-mls-3.7.19-118.el6.noarch
selinux-policy-targeted-3.7.19-118.el6.noarch
selinux-policy-3.7.19-118.el6.noarch
selinux-policy-doc-3.7.19-118.el6.noarch
piranha-0.8.5-9.el6.i686

How reproducible:
always

Steps to Reproduce:
1) get a fresh RHEL-6.2 machine
2) yum -y install ipvsadm piranha setools-console policycoreutils-python
3) run following automated test:
/CoreOS/selinux-policy/Regression/bz584451-piranha-and-ipvsadm
  
Actual results:
----
time->Wed Oct 19 08:37:30 2011
type=SYSCALL msg=audit(1319027850.553:84231): arch=40000003 syscall=11 success=yes exit=0 a0=98bd430 a1=98bd480 a2=98bd6b8 a3=98bd480 items=0 ppid=25278 pid=25279 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1319027850.553:84231): avc:  denied  { read } for  pid=25279 comm="httpd" path="/etc/sysconfig/ha/lvs.cf" dev=dm-0 ino=263342 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:piranha_etc_rw_t:s0 tclass=file
----
time->Wed Oct 19 08:37:38 2011
type=SYSCALL msg=audit(1319027858.888:84232): arch=40000003 syscall=11 success=yes exit=0 a0=9283430 a1=9283480 a2=92836b8 a3=9283480 items=0 ppid=25362 pid=25363 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1319027858.888:84232): avc:  denied  { read } for  pid=25363 comm="httpd" path="/etc/sysconfig/ha/lvs.cf" dev=dm-0 ino=263342 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:piranha_etc_rw_t:s0 tclass=file
----

Expected results:
* no AVCs
Comment 2 Milos Malik 2011-10-19 12:53:59 UTC 
dontaudit candidate ?
Comment 3 Miroslav Grepl 2011-10-19 12:58:50 UTC 
Yes, but should be fixed in pulse which is leaking.
Comment 6 Lon Hohberger 2011-10-19 17:20:31 UTC 
Two things:

* the test case which produces this particular error appears to be using fos - in fos.c, it's pretty clear that we don't close the lvs.cf prior to the run() function call; this is an easy fix.  The catch is that since RHEL 2.1 we nave never supported fos mode of pulse.

* Piranha-gui spawns httpd, and has for the better part of 12 years used php to edit /etc/sysconfig/ha/lvs.cf - appears that is not working if you try to log in an edit the lvs.cf from piranha-gui (I think this is a separate issue, I don't know if it's a blocker or not):

type=AVC msg=audit(1319043483.057:3985): avc:  denied  { write } for  pid=8524 comm="httpd" name="lvs.cf" dev=dm-0 ino=137226 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1319043483.057:3985): arch=c000003e syscall=2 success=no exit=-13 a0=7fc8384a27c0 a1=2 a2=1b6 a3=21 items=0 ppid=8522 pid=8524 auid=0 uid=60 gid=60 euid=60 suid=60 fsuid=60 egid=60 sgid=60 fsgid=60 tty=(none) ses=168 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
Comment 7 Lon Hohberger 2011-10-19 17:21:30 UTC 
Created attachment 529060 [details]
Close fd after reading configuration file
Comment 9 Lon Hohberger 2011-10-19 17:31:33 UTC 
(In reply to comment #6)
>
> * Piranha-gui spawns httpd, and has for the better part of 12 years used php to
> edit /etc/sysconfig/ha/lvs.cf - appears that is not working if you try to log
> in an edit the lvs.cf from piranha-gui 

... is bug 746764

Nothing to see here.
Comment 12 Ryan O'Hara 2012-02-13 21:45:11 UTC 
(In reply to comment #0)

> Steps to Reproduce:
> 1) get a fresh RHEL-6.2 machine
> 2) yum -y install ipvsadm piranha setools-console policycoreutils-python
> 3) run following automated test:
> /CoreOS/selinux-policy/Regression/bz584451-piranha-and-ipvsadm

Where do I find the test referenced in step #3?
Comment 13 Ryan O'Hara 2012-02-13 23:20:17 UTC 
Created attachment 561701 [details]
lvs.cf file fos mode httpd

Here is an example lvs.cf file that can be used to control httpd in fos mode. This is useful for reproducing the problem and testing the fix. Be sure to replace IP_ADDRESS and ETH_DEVICE with appropriate values.
Comment 14 Ryan O'Hara 2012-02-13 23:39:24 UTC 
In this test, it is best to turn off any existing httpd services to avoid confusion. With httpd turned off, check that no httpd processes exist:

# pidof httpd
(no output)

Using the lvs.cf file to control httpd is fos mode, start pulse:

# service pulse start
Starting pulse:                                            [  OK  ]

This should start piranha in fos mode and start httpd as a failover service. Now look for the leaking file descriptor:

# for a in `pidof httpd`; do ls -l /proc/$a/fd | grep lvs; done
lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf
lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf
lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf
lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf
lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf
lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf
lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf
lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf
lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf

These file descriptors for lvs.cf should not exist.

With patch, repeat the same test:

# service pulse start
Starting pulse:                                            [  OK  ]

# pidof httpd
2821 2820 2819 2818 2817 2816 2815 2814 2812

We have 9 httpd processes, none should have file descriptor for lvs.cf:

# for a in `pidof httpd`; do ls -l /proc/$a/fd | grep lvs; done
(no output)

This fixes the leaking file descriptor. I'll run the selinux test as soon as I get more information about how to do so.
Comment 19 Ryan O'Hara 2012-02-14 19:48:58 UTC 
Fixed in piranha-0.8.5-11.el6.
Comment 22 errata-xmlrpc 2012-06-20 14:17:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0891.html