Bug 831908
Summary: | AVC denied errors on sanlock | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Alex Jia <ajia> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.3 | CC: | berrange, bili, cluster-maint, dwalsh, dyuan, fsimonce, mmalik, mzhan, teigland | ||||
Target Milestone: | rc | Flags: | teigland:
needinfo+
|
||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.7.19-180.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-02-21 08:35:51 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 840699 | ||||||
Attachments: |
|
Description
Alex Jia
2012-06-14 03:42:36 UTC
Reproduced in enforcing mode using "service sanlock restart" instead of "service sanlock start": ---- time->Thu Jun 14 06:16:36 2012 type=PATH msg=audit(1339668996.938:1198732): item=0 name="/proc/sys/kernel/ngroups_max" inode=131402355 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 type=CWD msg=audit(1339668996.938:1198732): cwd="/" type=SYSCALL msg=audit(1339668996.938:1198732): arch=c000003e syscall=2 success=yes exit=6 a0=7ff6863fb19a a1=0 a2=4a a3=ffffffdb items=1 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1339668996.938:1198732): avc: denied { read } for pid=25954 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=AVC msg=audit(1339668996.938:1198732): avc: denied { search } for pid=25954 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir ---- time->Thu Jun 14 06:16:36 2012 type=PATH msg=audit(1339668996.940:1198733): item=0 name="/var/run/winbindd" inode=2754010 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 type=CWD msg=audit(1339668996.940:1198733): cwd="/" type=SYSCALL msg=audit(1339668996.940:1198733): arch=c000003e syscall=6 success=yes exit=0 a0=7ff68528ad0a a1=7fffcbb3f5b0 a2=7fffcbb3f5b0 a3=7fffcbb3f300 items=1 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1339668996.940:1198733): avc: denied { getattr } for pid=25954 comm="sanlock" path="/var/run/winbindd" dev=dm-0 ino=2754010 scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=dir ---- time->Thu Jun 14 06:16:36 2012 type=PATH msg=audit(1339668996.940:1198734): item=0 name="/var/run/winbindd/pipe" type=CWD msg=audit(1339668996.940:1198734): cwd="/" type=SYSCALL msg=audit(1339668996.940:1198734): arch=c000003e syscall=6 success=no exit=-2 a0=7ff689156b40 a1=7fffcbb3f5b0 a2=7fffcbb3f5b0 a3=7fffcbb3f700 items=1 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1339668996.940:1198734): avc: denied { search } for pid=25954 comm="sanlock" name="winbindd" dev=dm-0 ino=2754010 scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=dir ---- time->Thu Jun 14 06:16:36 2012 type=OBJ_PID msg=audit(1339668996.940:1198735): opid=25954 oauid=0 ouid=0 oses=58418 obj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 ocomm="sanlock" type=SYSCALL msg=audit(1339668996.940:1198735): arch=c000003e syscall=234 success=yes exit=0 a0=6562 a1=6563 a2=21 a3=1 items=0 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1339668996.940:1198735): avc: denied { signal } for pid=25954 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=process ---- time->Thu Jun 14 06:16:36 2012 type=SYSCALL msg=audit(1339668996.940:1198736): arch=c000003e syscall=116 success=yes exit=0 a0=2 a1=7ff6875dd010 a2=7ff687adac20 a3=0 items=0 ppid=1 pid=25955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1339668996.940:1198736): avc: denied { setgid } for pid=25955 comm="sanlock" capability=6 scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- time->Thu Jun 14 06:16:36 2012 type=PATH msg=audit(1339668996.974:1198737): item=0 name="/var/run/sanlock/sanlock.sock" inode=2755956 dev=fd:00 mode=0140660 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:sanlock_var_run_t:s0 type=CWD msg=audit(1339668996.974:1198737): cwd="/" type=SYSCALL msg=audit(1339668996.974:1198737): arch=c000003e syscall=92 success=yes exit=0 a0=7fffcbb42fe2 a1=b3 a2=b3 a3=fffffff4 items=1 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1339668996.974:1198737): avc: denied { chown } for pid=25954 comm="sanlock" capability=0 scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- time->Thu Jun 14 06:16:36 2012 type=PATH msg=audit(1339668996.933:1198731): item=1 name="/var/run/sanlock/sanlock.pid" inode=2753254 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:sanlock_var_run_t:s0 type=PATH msg=audit(1339668996.933:1198731): item=0 name="/var/run/sanlock/" inode=2753927 dev=fd:00 mode=040775 ouid=179 ogid=179 rdev=00:00 obj=unconfined_u:object_r:sanlock_var_run_t:s0 type=CWD msg=audit(1339668996.933:1198731): cwd="/" type=SYSCALL msg=audit(1339668996.933:1198731): arch=c000003e syscall=2 success=yes exit=3 a0=7fffcbb41e20 a1=80041 a2=1b6 a3=fffffff5 items=2 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1339668996.933:1198731): avc: denied { dac_override } for pid=25954 comm="sanlock" capability=1 scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- Cannot be reproduced with sanlock < 2.3-1.el6. Looks like sanlock is changing the owneship on the pid file, changing its gid and then ending up not able to read the file as root? This is incorrect: SANLOCKOPTS="-w 0" It should be: SANLOCKOPTS="-U sanlock -G sanlock -w 0" Please try that, it will probably affect the results. I uncommented following line in /etc/sysconfig/sanlock: SANLOCKOPTS="-U sanlock -G sanlock -w 0" and the results you can see in comment#2. Trying to decipher those selinux messages... - sanlock does need to set /proc/sys/kernel/ngroups_max (this was a very recent change) - I don't know what windbindd is or why sanlock would be trying to access it - "denied { signal }" -- is this complaining about sanlock using kill(2)? sanlock doesn't use signal(2), at least not directly. - setgid -- sanlock does use this - chown -- sanlock does use this winbind is probably to resolve UID/GID. signal == kill -TERM sigkill == KILL -9 signull == kill -NULL ok, thanks. Yes we need to resolve uid/gid, and yes we need to run kill(SIGTERM) and kill(SIGKILL). Alex or Milos, has this problem gone away or been fixed? I still see AVCs on my RHEL-6.3 virtual machine. Installed sanlock packages were build from sanlock-2.3-1.el6.src.rpm, which is available in brew. # rpm -qa selinux-policy\* selinux-policy-minimum-3.7.19-155.el6_3.noarch selinux-policy-doc-3.7.19-155.el6_3.noarch selinux-policy-mls-3.7.19-155.el6_3.noarch selinux-policy-3.7.19-155.el6_3.noarch selinux-policy-targeted-3.7.19-155.el6_3.noarch # rpm -qa sanlock\* sanlock-2.3-1.el6.i386 sanlock-lib-2.3-1.el6.i386 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted # ausearch -m avc -m user_avc -m selinux_err -ts today | audit2allow #============= sanlock_t ============== allow sanlock_t self:capability { chown setgid }; allow sanlock_t self:process signal; allow sanlock_t sysctl_kernel_t:dir search; allow sanlock_t sysctl_kernel_t:file read; # I've also heard that there are selinux problems related to these recently added calls: main.c: rv = setrlimit(RLIMIT_MEMLOCK, &rlim); main.c: rv = setrlimit(RLIMIT_RTPRIO, &rlim); Can someone update the selinux policies for sanlock and wdmd to include all the problems that are accumulating here? It seems at least the following are causing problems either in rhel or fedora: - setrlimit - /proc/sys/kernel/ngroups_max - winbind - signal - sigkill - signull - setgid - chown Following AVCs were produced by the automated test in permissive mode: ---- type=PATH msg=audit(08/02/2012 10:58:13.120:134) : item=0 name=/var/run/sanlock inode=25470 dev=08:03 mode=dir,775 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 type=CWD msg=audit(08/02/2012 10:58:13.120:134) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:13.120:134) : arch=i386 syscall=chown32 success=yes exit=0 a0=53b9c2 a1=b3 a2=b3 a3=ffffffff items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.120:134) : avc: denied { chown } for pid=4010 comm=sanlock capability=chown scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- type=PATH msg=audit(08/02/2012 10:58:13.423:135) : item=1 name=/var/run/sanlock/sanlock.pid inode=21881 dev=08:03 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 type=PATH msg=audit(08/02/2012 10:58:13.423:135) : item=0 name=/var/run/sanlock/ inode=25470 dev=08:03 mode=dir,775 ouid=sanlock ogid=sanlock rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 type=CWD msg=audit(08/02/2012 10:58:13.423:135) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:13.423:135) : arch=i386 syscall=open success=yes exit=7 a0=bfce8d50 a1=80041 a2=1b6 a3=0 items=2 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.423:135) : avc: denied { dac_override } for pid=4010 comm=sanlock capability=dac_override scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- type=SYSCALL msg=audit(08/02/2012 10:58:13.430:136) : arch=i386 syscall=setrlimit success=yes exit=0 a0=8 a1=bfce9f24 a2=29dff4 a3=bfce9f24 items=0 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.430:136) : avc: denied { sys_resource } for pid=4010 comm=sanlock capability=sys_resource scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(08/02/2012 10:58:13.430:136) : avc: denied { setrlimit } for pid=4010 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=process ---- type=PATH msg=audit(08/02/2012 10:58:13.431:137) : item=0 name=/proc/sys/kernel/ngroups_max inode=12449 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 type=CWD msg=audit(08/02/2012 10:58:13.431:137) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:13.431:137) : arch=i386 syscall=open success=yes exit=9 a0=263050 a1=0 a2=6434342d a3=3 items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.431:137) : avc: denied { read } for pid=4010 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=AVC msg=audit(08/02/2012 10:58:13.431:137) : avc: denied { search } for pid=4010 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir ---- type=PATH msg=audit(08/02/2012 10:58:13.447:138) : item=0 name=/var/run/winbindd inode=16871 dev=08:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 type=CWD msg=audit(08/02/2012 10:58:13.447:138) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:13.447:138) : arch=i386 syscall=lstat64 success=yes exit=0 a0=f94cf8 a1=bfce6614 a2=29dff4 a3=bfce6614 items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.447:138) : avc: denied { getattr } for pid=4010 comm=sanlock path=/var/run/winbindd dev=sda3 ino=16871 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=dir ---- type=PATH msg=audit(08/02/2012 10:58:13.447:139) : item=0 name=/var/run/winbindd/pipe inode=9223 dev=08:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 type=CWD msg=audit(08/02/2012 10:58:13.447:139) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:13.447:139) : arch=i386 syscall=lstat64 success=yes exit=0 a0=180eb10 a1=bfce6614 a2=29dff4 a3=bfce6614 items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.447:139) : avc: denied { getattr } for pid=4010 comm=sanlock path=/var/run/winbindd/pipe dev=sda3 ino=9223 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file type=AVC msg=audit(08/02/2012 10:58:13.447:139) : avc: denied { search } for pid=4010 comm=sanlock name=winbindd dev=sda3 ino=16871 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=dir ---- type=PATH msg=audit(08/02/2012 10:58:13.447:140) : item=0 name=(null) inode=9223 dev=08:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 type=SOCKADDR msg=audit(08/02/2012 10:58:13.447:140) : saddr=local /var/run/winbindd/pipe type=SOCKETCALL msg=audit(08/02/2012 10:58:13.447:140) : nargs=3 a0=9 a1=bfce668a a2=6e type=SYSCALL msg=audit(08/02/2012 10:58:13.447:140) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfce654c a2=f96108 a3=0 items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.447:140) : avc: denied { connectto } for pid=4010 comm=sanlock path=/var/run/winbindd/pipe scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_t:s0 tclass=unix_stream_socket type=AVC msg=audit(08/02/2012 10:58:13.447:140) : avc: denied { write } for pid=4010 comm=sanlock name=pipe dev=sda3 ino=9223 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file ---- type=PATH msg=audit(08/02/2012 10:58:13.452:141) : item=0 name=/var/lib/samba/winbindd_privileged inode=16870 dev=08:03 mode=dir,750 ouid=root ogid=wbpriv rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 type=CWD msg=audit(08/02/2012 10:58:13.452:141) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:13.452:141) : arch=i386 syscall=lstat64 success=yes exit=0 a0=180eaa8 a1=bfce6614 a2=29dff4 a3=bfce6614 items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.452:141) : avc: denied { search } for pid=4010 comm=sanlock name=samba dev=sda3 ino=6642 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir ---- type=OBJ_PID msg=audit(08/02/2012 10:58:13.452:142) : opid=4010 oauid=root ouid=root oses=4 obj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 ocomm="sanlock" type=SYSCALL msg=audit(08/02/2012 10:58:13.452:142) : arch=i386 syscall=tgkill success=yes exit=0 a0=faa a1=fad a2=21 a3=b7514bd0 items=0 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.452:142) : avc: denied { signal } for pid=4010 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=process ---- type=SYSCALL msg=audit(08/02/2012 10:58:13.452:143) : arch=i386 syscall=setgroups32 success=yes exit=0 a0=2 a1=b6a93008 a2=542d50 a3=0 items=0 ppid=1 pid=4013 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.452:143) : avc: denied { setgid } for pid=4013 comm=sanlock capability=setgid scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- type=SYSCALL msg=audit(08/02/2012 10:58:13.453:144) : arch=i386 syscall=setuid32 success=yes exit=0 a0=b3 a1=b6a93008 a2=542d50 a3=0 items=0 ppid=1 pid=4013 auid=root uid=sanlock gid=sanlock euid=sanlock suid=sanlock fsuid=sanlock egid=sanlock sgid=sanlock fsgid=sanlock tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:13.453:144) : avc: denied { setuid } for pid=4013 comm=sanlock capability=setuid scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- type=PATH msg=audit(08/02/2012 10:58:17.651:149) : item=0 name=/var/run/sanlock inode=25470 dev=08:03 mode=dir,775 ouid=sanlock ogid=sanlock rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 type=CWD msg=audit(08/02/2012 10:58:17.651:149) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:17.651:149) : arch=i386 syscall=chown32 success=yes exit=0 a0=7529c2 a1=b3 a2=b3 a3=ffffffff items=1 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:17.651:149) : avc: denied { chown } for pid=4074 comm=sanlock capability=chown scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- type=PATH msg=audit(08/02/2012 10:58:17.652:150) : item=1 name=/var/run/sanlock/sanlock.pid inode=21881 dev=08:03 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 type=PATH msg=audit(08/02/2012 10:58:17.652:150) : item=0 name=/var/run/sanlock/ inode=25470 dev=08:03 mode=dir,775 ouid=sanlock ogid=sanlock rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 type=CWD msg=audit(08/02/2012 10:58:17.652:150) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:17.652:150) : arch=i386 syscall=open success=yes exit=7 a0=bff2dcf0 a1=80041 a2=1b6 a3=0 items=2 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:17.652:150) : avc: denied { dac_override } for pid=4074 comm=sanlock capability=dac_override scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- type=SYSCALL msg=audit(08/02/2012 10:58:17.653:151) : arch=i386 syscall=setrlimit success=yes exit=0 a0=8 a1=bff2eec4 a2=2c6ff4 a3=bff2eec4 items=0 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:17.653:151) : avc: denied { sys_resource } for pid=4074 comm=sanlock capability=sys_resource scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- type=PATH msg=audit(08/02/2012 10:58:17.656:152) : item=0 name=/proc/sys/kernel/ngroups_max inode=12449 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 type=CWD msg=audit(08/02/2012 10:58:17.656:152) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:17.656:152) : arch=i386 syscall=open success=yes exit=9 a0=28c050 a1=0 a2=6433342d a3=3 items=1 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:17.656:152) : avc: denied { read } for pid=4074 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=AVC msg=audit(08/02/2012 10:58:17.656:152) : avc: denied { search } for pid=4074 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir ---- type=PATH msg=audit(08/02/2012 10:58:17.659:153) : item=0 name=/var/run/winbindd/pipe inode=9223 dev=08:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 type=CWD msg=audit(08/02/2012 10:58:17.659:153) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:17.659:153) : arch=i386 syscall=lstat64 success=yes exit=0 a0=18b3b10 a1=bff2b5b4 a2=2c6ff4 a3=bff2b5b4 items=1 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:17.659:153) : avc: denied { getattr } for pid=4074 comm=sanlock path=/var/run/winbindd/pipe dev=sda3 ino=9223 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file ---- type=PATH msg=audit(08/02/2012 10:58:17.664:154) : item=0 name=(null) inode=9223 dev=08:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 type=SOCKADDR msg=audit(08/02/2012 10:58:17.664:154) : saddr=local /var/run/winbindd/pipe type=SOCKETCALL msg=audit(08/02/2012 10:58:17.664:154) : nargs=3 a0=9 a1=bff2b62a a2=6e type=SYSCALL msg=audit(08/02/2012 10:58:17.664:154) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bff2b4ec a2=e63108 a3=0 items=1 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:17.664:154) : avc: denied { write } for pid=4074 comm=sanlock name=pipe dev=sda3 ino=9223 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file ---- type=PATH msg=audit(08/02/2012 10:58:34.966:165) : item=0 name=/var/run/sanlock inode=25470 dev=08:03 mode=dir,775 ouid=sanlock ogid=sanlock rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 type=CWD msg=audit(08/02/2012 10:58:34.966:165) : cwd=/ type=SYSCALL msg=audit(08/02/2012 10:58:34.966:165) : arch=i386 syscall=chown32 success=yes exit=0 a0=2399c2 a1=0 a2=0 a3=ffffffff items=1 ppid=1 pid=4431 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2012 10:58:34.966:165) : avc: denied { chown } for pid=4431 comm=sanlock capability=chown scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability ---- The sanlock policy in Rawhide should allow all this access, needs back port. I've just added a call to shm_open(); I'm guessing that me need to be included also? The shm_open is used by wdmd (not sanlock). static int setup_shm(void) { int rv; rv = shm_open("/wdmd", O_RDWR|O_CREAT|O_EXCL, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); if (rv < 0) { log_error("other wdmd not cleanly stopped, shm_open error %d", errno); return rv; } shm_fd = rv; return 0; } static void close_shm(void) { shm_unlink("/wdmd"); close(shm_fd); } Fixed in selinux-policy-3.7.19-159.el6 Hi, yes, we will eventually need this in 6.3.z. I just tested selinux-policy-3.7.19-159.el6 with sanlock-2.3-4.el6_3, and I'm seeing the following appear in audit.log. The tmpfs references make me think that the shm_open and shm_unlink calls shown in comment 16 are causing a problem? service wdmd start type=AVC msg=audit(1345747073.299:18172): avc: denied { getattr } for pid=1690 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1345747073.299:18172): arch=c000003e syscall=137 success=yes exit=0 a0=7fea1ef9a5ae a1=7fff3eee4d80 a2=5 a3=7fff3eee48f0 items=0 ppid=1 pid=1690 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="wdmd" exe="/usr/sbin/wdmd" subj=unconfined_u:system_r:wdmd_t:s0 key=(null) type=AVC msg=audit(1345747073.300:18173): avc: denied { search } for pid=1690 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1345747073.300:18173): avc: denied { write } for pid=1690 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1345747073.300:18173): avc: denied { add_name } for pid=1690 comm="wdmd" name="wdmd" scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1345747073.300:18173): avc: denied { create } for pid=1690 comm="wdmd" name="wdmd" scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1345747073.300:18173): avc: denied { read write open } for pid=1690 comm="wdmd" name="wdmd" dev=tmpfs ino=13799 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file type=SYSCALL msg=audit(1345747073.300:18173): arch=c000003e syscall=2 success=yes exit=5 a0=7fff3eee4e70 a1=a00c2 a2=1a4 a3=7fff3eee4bf0 items=0 ppid=1 pid=1690 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="wdmd" exe="/usr/sbin/wdmd" subj=unconfined_u:system_r:wdmd_t:s0 key=(null) service wdmd stop type=AVC msg=audit(1345747156.188:18174): avc: denied { remove_name } for pid=1690 comm="wdmd" name="wdmd" dev=tmpfs ino=13799 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1345747156.188:18174): avc: denied { unlink } for pid=1690 comm="wdmd" name="wdmd" dev=tmpfs ino=13799 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file type=SYSCALL msg=audit(1345747156.188:18174): arch=c000003e syscall=87 success=yes exit=0 a0=7fff3eee4e80 a1=7fea1f5c6491 a2=0 a3=7fff3eee4c00 items=0 ppid=1 pid=1690 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="wdmd" exe="/usr/sbin/wdmd" subj=unconfined_u:system_r:wdmd_t:s0 key=(null) Ok, I am adding it. Also it needs to be proposed if z-stream is needed. I tried selinux-policy-3.7.19-160.el6 and still saw the wdmd tmpfs errors in audit.log type=AVC msg=audit(1347029599.885:18072): avc: denied { getattr } for pid=1675 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1347029599.885:18072): arch=c000003e syscall=137 success=yes exit=0 a0=7f394d1d05ae a1=7fffa5e42c20 a2=5 a3=7fffa5e42790 items=0 ppid=1 pid=1675 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="wdmd" exe="/usr/sbin/wdmd" subj=unconfined_u:system_r:wdmd_t:s0 key=(null) type=AVC msg=audit(1347029599.886:18073): avc: denied { search } for pid=1675 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1347029599.886:18073): avc: denied { write } for pid=1675 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1347029599.886:18073): avc: denied { add_name } for pid=1675 comm="wdmd" name="wdmd" scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1347029599.886:18073): avc: denied { create } for pid=1675 comm="wdmd" name="wdmd" scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1347029599.886:18073): avc: denied { read write open } for pid=1675 comm="wdmd" name="wdmd" dev=tmpfs ino=13744 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file type=SYSCALL msg=audit(1347029599.886:18073): arch=c000003e syscall=2 success=yes exit=5 a0=7fffa5e42d10 a1=a00c2 a2=1a4 a3=7fffa5e42a90 items=0 ppid=1 pid=1675 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="wdmd" exe="/usr/sbin/wdmd" subj=unconfined_u:system_r:wdmd_t:s0 key=(null) I apologize. There is a bug in this release which is going to be fixed in the -162 release. A couple more errors have been reported, not sure what these might mean: type=1400 audit(1348497483.768:18): avc: denied { search } for pid=4119 comm="sanlock" name="" dev=0:20 ino=4 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=1400 audit(1348497483.769:19): avc: denied { open } for pid=4119 comm="sanlock" name="ids" dev=0:20 ino=11 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file Did you turn on the sanlock_use_nfs boolean. Created attachment 628876 [details]
avc messages for sanlock and wdmd
People are very often reporting that selinux is broken from sanlock and wdmd. This may be a combination of problems, from selinux not being fixed to people not using the latest selinux updates, maybe other reasons? Please see the attached grep avc from /var/log/messages.
The machine is running 6.3.z with
selinux-policy-3.7.19-155.el6_3.4.noarch
We have this rule in Fedora 18. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |