Bug 831908

Summary: AVC denied errors on sanlock
Product: Red Hat Enterprise Linux 6 Reporter: Alex Jia <ajia>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.3CC: berrange, bili, cluster-maint, dwalsh, dyuan, fsimonce, mmalik, mzhan, teigland
Target Milestone: rcFlags: teigland: needinfo+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-180.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:35:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 840699    
Attachments:
Description Flags
avc messages for sanlock and wdmd none

Description Alex Jia 2012-06-14 03:42:36 UTC 
Description of problem:
There are some AVC denied errors on sanlock.

Version-Release number of selected component (if applicable):
# rpm -q sanlock kernel selinux-policy libvirt
sanlock-2.3-1.el6.x86_64
kernel-2.6.32-278.el6.x86_64
selinux-policy-3.7.19-154.el6.noarch
libvirt-0.9.10-21.el6.x86_64

How reproducible:
always.

Steps to Reproduce:
1. To append SANLOCKOPTS="-w 0" into /etc/sysconfig/sanlock
2. service sanlock start
3. grep avc /var/log/audit/audit.log | grep sanlock
  
Actual results:

# grep avc /var/log/audit/audit.log | grep sanlock

<snip>

type=AVC msg=audit(1339315900.009:41782): avc:  denied  { signal } for  pid=22908 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1339315900.009:41783): avc:  denied  { setgid } for  pid=22909 comm="sanlock" capability=6  scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1339316617.086:41791): avc:  denied  { search } for  pid=23009 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=AVC msg=audit(1339316617.086:41791): avc:  denied  { read } for  pid=23009 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file

</snip>

Expected results:
fix them.

Additional info:

# getsebool -a | grep sanlock
sanlock_use_nfs --> off
sanlock_use_samba --> off
virt_use_sanlock --> on

# cat /etc/sysconfig/sanlock 
SANLOCKOPTS="-w 0"


Notes, in fact, sanlock will be segfault error, it's a known bug 831906.
Comment 2 Milos Malik 2012-06-14 10:24:12 UTC 
Reproduced in enforcing mode using "service sanlock restart" instead of "service sanlock start":

----
time->Thu Jun 14 06:16:36 2012
type=PATH msg=audit(1339668996.938:1198732): item=0 name="/proc/sys/kernel/ngroups_max" inode=131402355 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0
type=CWD msg=audit(1339668996.938:1198732):  cwd="/"
type=SYSCALL msg=audit(1339668996.938:1198732): arch=c000003e syscall=2 success=yes exit=6 a0=7ff6863fb19a a1=0 a2=4a a3=ffffffdb items=1 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339668996.938:1198732): avc:  denied  { read } for  pid=25954 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=AVC msg=audit(1339668996.938:1198732): avc:  denied  { search } for  pid=25954 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
----
time->Thu Jun 14 06:16:36 2012
type=PATH msg=audit(1339668996.940:1198733): item=0 name="/var/run/winbindd" inode=2754010 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0
type=CWD msg=audit(1339668996.940:1198733):  cwd="/"
type=SYSCALL msg=audit(1339668996.940:1198733): arch=c000003e syscall=6 success=yes exit=0 a0=7ff68528ad0a a1=7fffcbb3f5b0 a2=7fffcbb3f5b0 a3=7fffcbb3f300 items=1 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339668996.940:1198733): avc:  denied  { getattr } for  pid=25954 comm="sanlock" path="/var/run/winbindd" dev=dm-0 ino=2754010 scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=dir
----
time->Thu Jun 14 06:16:36 2012
type=PATH msg=audit(1339668996.940:1198734): item=0 name="/var/run/winbindd/pipe"
type=CWD msg=audit(1339668996.940:1198734):  cwd="/"
type=SYSCALL msg=audit(1339668996.940:1198734): arch=c000003e syscall=6 success=no exit=-2 a0=7ff689156b40 a1=7fffcbb3f5b0 a2=7fffcbb3f5b0 a3=7fffcbb3f700 items=1 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339668996.940:1198734): avc:  denied  { search } for  pid=25954 comm="sanlock" name="winbindd" dev=dm-0 ino=2754010 scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=dir
----
time->Thu Jun 14 06:16:36 2012
type=OBJ_PID msg=audit(1339668996.940:1198735): opid=25954 oauid=0 ouid=0 oses=58418 obj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 ocomm="sanlock"
type=SYSCALL msg=audit(1339668996.940:1198735): arch=c000003e syscall=234 success=yes exit=0 a0=6562 a1=6563 a2=21 a3=1 items=0 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339668996.940:1198735): avc:  denied  { signal } for  pid=25954 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Jun 14 06:16:36 2012
type=SYSCALL msg=audit(1339668996.940:1198736): arch=c000003e syscall=116 success=yes exit=0 a0=2 a1=7ff6875dd010 a2=7ff687adac20 a3=0 items=0 ppid=1 pid=25955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339668996.940:1198736): avc:  denied  { setgid } for  pid=25955 comm="sanlock" capability=6  scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability
----
time->Thu Jun 14 06:16:36 2012
type=PATH msg=audit(1339668996.974:1198737): item=0 name="/var/run/sanlock/sanlock.sock" inode=2755956 dev=fd:00 mode=0140660 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:sanlock_var_run_t:s0
type=CWD msg=audit(1339668996.974:1198737):  cwd="/"
type=SYSCALL msg=audit(1339668996.974:1198737): arch=c000003e syscall=92 success=yes exit=0 a0=7fffcbb42fe2 a1=b3 a2=b3 a3=fffffff4 items=1 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339668996.974:1198737): avc:  denied  { chown } for  pid=25954 comm="sanlock" capability=0  scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability
----
time->Thu Jun 14 06:16:36 2012
type=PATH msg=audit(1339668996.933:1198731): item=1 name="/var/run/sanlock/sanlock.pid" inode=2753254 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:sanlock_var_run_t:s0
type=PATH msg=audit(1339668996.933:1198731): item=0 name="/var/run/sanlock/" inode=2753927 dev=fd:00 mode=040775 ouid=179 ogid=179 rdev=00:00 obj=unconfined_u:object_r:sanlock_var_run_t:s0
type=CWD msg=audit(1339668996.933:1198731):  cwd="/"
type=SYSCALL msg=audit(1339668996.933:1198731): arch=c000003e syscall=2 success=yes exit=3 a0=7fffcbb41e20 a1=80041 a2=1b6 a3=fffffff5 items=2 ppid=1 pid=25954 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58418 comm="sanlock" exe="/usr/sbin/sanlock" subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339668996.933:1198731): avc:  denied  { dac_override } for  pid=25954 comm="sanlock" capability=1  scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability
----

Cannot be reproduced with sanlock < 2.3-1.el6.
Comment 3 Daniel Walsh 2012-06-14 19:14:47 UTC 
Looks like sanlock is changing the owneship on the pid file, changing its gid and then ending up not able to read the file as root?
Comment 4 David Teigland 2012-06-15 14:23:53 UTC 
This is incorrect: SANLOCKOPTS="-w 0"
It should be: SANLOCKOPTS="-U sanlock -G sanlock -w 0"

Please try that, it will probably affect the results.
Comment 5 Milos Malik 2012-06-15 14:53:19 UTC 
I uncommented following line in /etc/sysconfig/sanlock:

SANLOCKOPTS="-U sanlock -G sanlock -w 0"

and the results you can see in comment#2.
Comment 6 David Teigland 2012-06-15 15:13:57 UTC 
Trying to decipher those selinux messages...

- sanlock does need to set /proc/sys/kernel/ngroups_max
(this was a very recent change)

- I don't know what windbindd is or why sanlock would be trying to access it

- "denied  { signal }" -- is this complaining about sanlock using kill(2)?  sanlock doesn't use signal(2), at least not directly.

- setgid -- sanlock does use this

- chown -- sanlock does use this
Comment 7 Daniel Walsh 2012-06-15 15:57:49 UTC 
winbind is probably to resolve UID/GID.

signal == kill -TERM
sigkill == KILL -9
signull == kill -NULL
Comment 8 David Teigland 2012-06-15 16:05:50 UTC 
ok, thanks.  Yes we need to resolve uid/gid, and yes we need to run kill(SIGTERM) and kill(SIGKILL).
Comment 9 David Teigland 2012-07-17 15:02:27 UTC 
Alex or Milos, has this problem gone away or been fixed?
Comment 10 Milos Malik 2012-07-17 17:12:29 UTC 
I still see AVCs on my RHEL-6.3 virtual machine. Installed sanlock packages were build from sanlock-2.3-1.el6.src.rpm, which is available in brew.

# rpm -qa selinux-policy\*
selinux-policy-minimum-3.7.19-155.el6_3.noarch
selinux-policy-doc-3.7.19-155.el6_3.noarch
selinux-policy-mls-3.7.19-155.el6_3.noarch
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
# rpm -qa sanlock\*
sanlock-2.3-1.el6.i386
sanlock-lib-2.3-1.el6.i386
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# ausearch -m avc -m user_avc -m selinux_err -ts today | audit2allow

#============= sanlock_t ==============
allow sanlock_t self:capability { chown setgid };
allow sanlock_t self:process signal;
allow sanlock_t sysctl_kernel_t:dir search;
allow sanlock_t sysctl_kernel_t:file read;

#
Comment 11 David Teigland 2012-08-01 20:23:13 UTC 
I've also heard that there are selinux problems related to these recently added calls:

main.c:	rv = setrlimit(RLIMIT_MEMLOCK, &rlim);
main.c:	rv = setrlimit(RLIMIT_RTPRIO, &rlim);

Can someone update the selinux policies for sanlock and wdmd to include all the problems that are accumulating here?  It seems at least the following are causing problems either in rhel or fedora:

- setrlimit
- /proc/sys/kernel/ngroups_max
- winbind
- signal
- sigkill
- signull
- setgid
- chown
Comment 12 Milos Malik 2012-08-02 09:04:10 UTC 
Following AVCs were produced by the automated test in permissive mode:
----
type=PATH msg=audit(08/02/2012 10:58:13.120:134) : item=0 name=/var/run/sanlock inode=25470 dev=08:03 mode=dir,775 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 
type=CWD msg=audit(08/02/2012 10:58:13.120:134) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:13.120:134) : arch=i386 syscall=chown32 success=yes exit=0 a0=53b9c2 a1=b3 a2=b3 a3=ffffffff items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.120:134) : avc:  denied  { chown } for  pid=4010 comm=sanlock capability=chown  scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability 
----
type=PATH msg=audit(08/02/2012 10:58:13.423:135) : item=1 name=/var/run/sanlock/sanlock.pid inode=21881 dev=08:03 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 
type=PATH msg=audit(08/02/2012 10:58:13.423:135) : item=0 name=/var/run/sanlock/ inode=25470 dev=08:03 mode=dir,775 ouid=sanlock ogid=sanlock rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 
type=CWD msg=audit(08/02/2012 10:58:13.423:135) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:13.423:135) : arch=i386 syscall=open success=yes exit=7 a0=bfce8d50 a1=80041 a2=1b6 a3=0 items=2 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.423:135) : avc:  denied  { dac_override } for  pid=4010 comm=sanlock capability=dac_override  scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability 
----
type=SYSCALL msg=audit(08/02/2012 10:58:13.430:136) : arch=i386 syscall=setrlimit success=yes exit=0 a0=8 a1=bfce9f24 a2=29dff4 a3=bfce9f24 items=0 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.430:136) : avc:  denied  { sys_resource } for  pid=4010 comm=sanlock capability=sys_resource  scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability 
type=AVC msg=audit(08/02/2012 10:58:13.430:136) : avc:  denied  { setrlimit } for  pid=4010 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=process 
----
type=PATH msg=audit(08/02/2012 10:58:13.431:137) : item=0 name=/proc/sys/kernel/ngroups_max inode=12449 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 
type=CWD msg=audit(08/02/2012 10:58:13.431:137) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:13.431:137) : arch=i386 syscall=open success=yes exit=9 a0=263050 a1=0 a2=6434342d a3=3 items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.431:137) : avc:  denied  { read } for  pid=4010 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file 
type=AVC msg=audit(08/02/2012 10:58:13.431:137) : avc:  denied  { search } for  pid=4010 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir 
----
type=PATH msg=audit(08/02/2012 10:58:13.447:138) : item=0 name=/var/run/winbindd inode=16871 dev=08:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 
type=CWD msg=audit(08/02/2012 10:58:13.447:138) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:13.447:138) : arch=i386 syscall=lstat64 success=yes exit=0 a0=f94cf8 a1=bfce6614 a2=29dff4 a3=bfce6614 items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.447:138) : avc:  denied  { getattr } for  pid=4010 comm=sanlock path=/var/run/winbindd dev=sda3 ino=16871 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=dir 
----
type=PATH msg=audit(08/02/2012 10:58:13.447:139) : item=0 name=/var/run/winbindd/pipe inode=9223 dev=08:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 
type=CWD msg=audit(08/02/2012 10:58:13.447:139) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:13.447:139) : arch=i386 syscall=lstat64 success=yes exit=0 a0=180eb10 a1=bfce6614 a2=29dff4 a3=bfce6614 items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.447:139) : avc:  denied  { getattr } for  pid=4010 comm=sanlock path=/var/run/winbindd/pipe dev=sda3 ino=9223 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file 
type=AVC msg=audit(08/02/2012 10:58:13.447:139) : avc:  denied  { search } for  pid=4010 comm=sanlock name=winbindd dev=sda3 ino=16871 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=dir 
----
type=PATH msg=audit(08/02/2012 10:58:13.447:140) : item=0 name=(null) inode=9223 dev=08:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 
type=SOCKADDR msg=audit(08/02/2012 10:58:13.447:140) : saddr=local /var/run/winbindd/pipe 
type=SOCKETCALL msg=audit(08/02/2012 10:58:13.447:140) : nargs=3 a0=9 a1=bfce668a a2=6e 
type=SYSCALL msg=audit(08/02/2012 10:58:13.447:140) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfce654c a2=f96108 a3=0 items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.447:140) : avc:  denied  { connectto } for  pid=4010 comm=sanlock path=/var/run/winbindd/pipe scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_t:s0 tclass=unix_stream_socket 
type=AVC msg=audit(08/02/2012 10:58:13.447:140) : avc:  denied  { write } for  pid=4010 comm=sanlock name=pipe dev=sda3 ino=9223 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(08/02/2012 10:58:13.452:141) : item=0 name=/var/lib/samba/winbindd_privileged inode=16870 dev=08:03 mode=dir,750 ouid=root ogid=wbpriv rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 
type=CWD msg=audit(08/02/2012 10:58:13.452:141) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:13.452:141) : arch=i386 syscall=lstat64 success=yes exit=0 a0=180eaa8 a1=bfce6614 a2=29dff4 a3=bfce6614 items=1 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.452:141) : avc:  denied  { search } for  pid=4010 comm=sanlock name=samba dev=sda3 ino=6642 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir 
----
type=OBJ_PID msg=audit(08/02/2012 10:58:13.452:142) : opid=4010 oauid=root ouid=root oses=4 obj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 ocomm="sanlock" 
type=SYSCALL msg=audit(08/02/2012 10:58:13.452:142) : arch=i386 syscall=tgkill success=yes exit=0 a0=faa a1=fad a2=21 a3=b7514bd0 items=0 ppid=1 pid=4010 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.452:142) : avc:  denied  { signal } for  pid=4010 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=process 
----
type=SYSCALL msg=audit(08/02/2012 10:58:13.452:143) : arch=i386 syscall=setgroups32 success=yes exit=0 a0=2 a1=b6a93008 a2=542d50 a3=0 items=0 ppid=1 pid=4013 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.452:143) : avc:  denied  { setgid } for  pid=4013 comm=sanlock capability=setgid  scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability 
----
type=SYSCALL msg=audit(08/02/2012 10:58:13.453:144) : arch=i386 syscall=setuid32 success=yes exit=0 a0=b3 a1=b6a93008 a2=542d50 a3=0 items=0 ppid=1 pid=4013 auid=root uid=sanlock gid=sanlock euid=sanlock suid=sanlock fsuid=sanlock egid=sanlock sgid=sanlock fsgid=sanlock tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:13.453:144) : avc:  denied  { setuid } for  pid=4013 comm=sanlock capability=setuid  scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability 
----
type=PATH msg=audit(08/02/2012 10:58:17.651:149) : item=0 name=/var/run/sanlock inode=25470 dev=08:03 mode=dir,775 ouid=sanlock ogid=sanlock rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 
type=CWD msg=audit(08/02/2012 10:58:17.651:149) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:17.651:149) : arch=i386 syscall=chown32 success=yes exit=0 a0=7529c2 a1=b3 a2=b3 a3=ffffffff items=1 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:17.651:149) : avc:  denied  { chown } for  pid=4074 comm=sanlock capability=chown  scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability 
----
type=PATH msg=audit(08/02/2012 10:58:17.652:150) : item=1 name=/var/run/sanlock/sanlock.pid inode=21881 dev=08:03 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 
type=PATH msg=audit(08/02/2012 10:58:17.652:150) : item=0 name=/var/run/sanlock/ inode=25470 dev=08:03 mode=dir,775 ouid=sanlock ogid=sanlock rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 
type=CWD msg=audit(08/02/2012 10:58:17.652:150) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:17.652:150) : arch=i386 syscall=open success=yes exit=7 a0=bff2dcf0 a1=80041 a2=1b6 a3=0 items=2 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:17.652:150) : avc:  denied  { dac_override } for  pid=4074 comm=sanlock capability=dac_override  scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability 
----
type=SYSCALL msg=audit(08/02/2012 10:58:17.653:151) : arch=i386 syscall=setrlimit success=yes exit=0 a0=8 a1=bff2eec4 a2=2c6ff4 a3=bff2eec4 items=0 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:17.653:151) : avc:  denied  { sys_resource } for  pid=4074 comm=sanlock capability=sys_resource  scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability 
----
type=PATH msg=audit(08/02/2012 10:58:17.656:152) : item=0 name=/proc/sys/kernel/ngroups_max inode=12449 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 
type=CWD msg=audit(08/02/2012 10:58:17.656:152) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:17.656:152) : arch=i386 syscall=open success=yes exit=9 a0=28c050 a1=0 a2=6433342d a3=3 items=1 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:17.656:152) : avc:  denied  { read } for  pid=4074 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file 
type=AVC msg=audit(08/02/2012 10:58:17.656:152) : avc:  denied  { search } for  pid=4074 comm=sanlock scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir 
----
type=PATH msg=audit(08/02/2012 10:58:17.659:153) : item=0 name=/var/run/winbindd/pipe inode=9223 dev=08:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 
type=CWD msg=audit(08/02/2012 10:58:17.659:153) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:17.659:153) : arch=i386 syscall=lstat64 success=yes exit=0 a0=18b3b10 a1=bff2b5b4 a2=2c6ff4 a3=bff2b5b4 items=1 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:17.659:153) : avc:  denied  { getattr } for  pid=4074 comm=sanlock path=/var/run/winbindd/pipe dev=sda3 ino=9223 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(08/02/2012 10:58:17.664:154) : item=0 name=(null) inode=9223 dev=08:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:winbind_var_run_t:s0 
type=SOCKADDR msg=audit(08/02/2012 10:58:17.664:154) : saddr=local /var/run/winbindd/pipe 
type=SOCKETCALL msg=audit(08/02/2012 10:58:17.664:154) : nargs=3 a0=9 a1=bff2b62a a2=6e 
type=SYSCALL msg=audit(08/02/2012 10:58:17.664:154) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bff2b4ec a2=e63108 a3=0 items=1 ppid=1 pid=4074 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:17.664:154) : avc:  denied  { write } for  pid=4074 comm=sanlock name=pipe dev=sda3 ino=9223 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(08/02/2012 10:58:34.966:165) : item=0 name=/var/run/sanlock inode=25470 dev=08:03 mode=dir,775 ouid=sanlock ogid=sanlock rdev=00:00 obj=system_u:object_r:sanlock_var_run_t:s0 
type=CWD msg=audit(08/02/2012 10:58:34.966:165) :  cwd=/ 
type=SYSCALL msg=audit(08/02/2012 10:58:34.966:165) : arch=i386 syscall=chown32 success=yes exit=0 a0=2399c2 a1=0 a2=0 a3=ffffffff items=1 ppid=1 pid=4431 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sanlock exe=/usr/sbin/sanlock subj=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/02/2012 10:58:34.966:165) : avc:  denied  { chown } for  pid=4431 comm=sanlock capability=chown  scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=capability 
----
Comment 13 Daniel Walsh 2012-08-02 20:34:08 UTC 
The sanlock policy in Rawhide should allow all this access, needs back port.
Comment 14 David Teigland 2012-08-03 19:03:26 UTC 
I've just added a call to shm_open(); I'm guessing that me need to be included also?
Comment 15 David Teigland 2012-08-03 19:03:49 UTC 
The shm_open is used by wdmd (not sanlock).
Comment 16 David Teigland 2012-08-03 19:04:41 UTC 
static int setup_shm(void)
{
        int rv;

        rv = shm_open("/wdmd", O_RDWR|O_CREAT|O_EXCL, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
        if (rv < 0) {
                log_error("other wdmd not cleanly stopped, shm_open error %d", errno);
                return rv;
        }
        shm_fd = rv;
        return 0;
}

static void close_shm(void)
{
        shm_unlink("/wdmd");
        close(shm_fd);
}
Comment 18 Miroslav Grepl 2012-08-07 23:40:27 UTC 
Fixed in selinux-policy-3.7.19-159.el6
Comment 20 David Teigland 2012-08-23 18:21:30 UTC 
Hi, yes, we will eventually need this in 6.3.z.  I just tested
selinux-policy-3.7.19-159.el6 with sanlock-2.3-4.el6_3, and I'm
seeing the following appear in audit.log.  The tmpfs references
make me think that the shm_open and shm_unlink calls shown in
comment 16 are causing a problem?

service wdmd start

type=AVC msg=audit(1345747073.299:18172): avc:  denied  { getattr } for  pid=1690 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1345747073.299:18172): arch=c000003e syscall=137 success=yes exit=0 a0=7fea1ef9a5ae a1=7fff3eee4d80 a2=5 a3=7fff3eee48f0 items=0 ppid=1 pid=1690 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="wdmd" exe="/usr/sbin/wdmd" subj=unconfined_u:system_r:wdmd_t:s0 key=(null)
type=AVC msg=audit(1345747073.300:18173): avc:  denied  { search } for  pid=1690 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1345747073.300:18173): avc:  denied  { write } for  pid=1690 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1345747073.300:18173): avc:  denied  { add_name } for  pid=1690 comm="wdmd" name="wdmd" scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1345747073.300:18173): avc:  denied  { create } for  pid=1690 comm="wdmd" name="wdmd" scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1345747073.300:18173): avc:  denied  { read write open } for  pid=1690 comm="wdmd" name="wdmd" dev=tmpfs ino=13799 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1345747073.300:18173): arch=c000003e syscall=2 success=yes exit=5 a0=7fff3eee4e70 a1=a00c2 a2=1a4 a3=7fff3eee4bf0 items=0 ppid=1 pid=1690 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="wdmd" exe="/usr/sbin/wdmd" subj=unconfined_u:system_r:wdmd_t:s0 key=(null)

service wdmd stop

type=AVC msg=audit(1345747156.188:18174): avc:  denied  { remove_name } for  pid=1690 comm="wdmd" name="wdmd" dev=tmpfs ino=13799 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1345747156.188:18174): avc:  denied  { unlink } for  pid=1690 comm="wdmd" name="wdmd" dev=tmpfs ino=13799 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1345747156.188:18174): arch=c000003e syscall=87 success=yes exit=0 a0=7fff3eee4e80 a1=7fea1f5c6491 a2=0 a3=7fff3eee4c00 items=0 ppid=1 pid=1690 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="wdmd" exe="/usr/sbin/wdmd" subj=unconfined_u:system_r:wdmd_t:s0 key=(null)
Comment 21 Miroslav Grepl 2012-08-24 05:09:36 UTC 
Ok, I am adding it. Also it needs to be proposed if z-stream is needed.
Comment 23 David Teigland 2012-09-07 14:24:16 UTC 
I tried selinux-policy-3.7.19-160.el6 and still saw the wdmd tmpfs errors in audit.log


type=AVC msg=audit(1347029599.885:18072): avc:  denied  { getattr } for  pid=1675 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1347029599.885:18072): arch=c000003e syscall=137 success=yes exit=0 a0=7f394d1d05ae a1=7fffa5e42c20 a2=5 a3=7fffa5e42790 items=0 ppid=1 pid=1675 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="wdmd" exe="/usr/sbin/wdmd" subj=unconfined_u:system_r:wdmd_t:s0 key=(null)
type=AVC msg=audit(1347029599.886:18073): avc:  denied  { search } for  pid=1675 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1347029599.886:18073): avc:  denied  { write } for  pid=1675 comm="wdmd" name="/" dev=tmpfs ino=5324 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1347029599.886:18073): avc:  denied  { add_name } for  pid=1675 comm="wdmd" name="wdmd" scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1347029599.886:18073): avc:  denied  { create } for  pid=1675 comm="wdmd" name="wdmd" scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1347029599.886:18073): avc:  denied  { read write open } for  pid=1675 comm="wdmd" name="wdmd" dev=tmpfs ino=13744 scontext=unconfined_u:system_r:wdmd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1347029599.886:18073): arch=c000003e syscall=2 success=yes exit=5 a0=7fffa5e42d10 a1=a00c2 a2=1a4 a3=7fffa5e42a90 items=0 ppid=1 pid=1675 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="wdmd" exe="/usr/sbin/wdmd" subj=unconfined_u:system_r:wdmd_t:s0 key=(null)
Comment 24 Miroslav Grepl 2012-09-11 06:59:54 UTC 
I apologize. There is a bug in this release which is going to be fixed in the -162 release.
Comment 25 David Teigland 2012-09-26 13:55:20 UTC 
A couple more errors have been reported, not sure what these might mean:

type=1400 audit(1348497483.768:18): avc:  denied  { search } for  pid=4119 comm="sanlock" name="" dev=0:20 ino=4 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

type=1400 audit(1348497483.769:19): avc:  denied  { open } for  pid=4119 comm="sanlock" name="ids" dev=0:20 ino=11 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
Comment 26 Miroslav Grepl 2012-09-27 10:53:33 UTC 
Did you turn on the sanlock_use_nfs boolean.
Comment 27 David Teigland 2012-10-17 14:57:00 UTC 
Created attachment 628876 [details]
avc messages for sanlock and wdmd

People are very often reporting that selinux is broken from sanlock and wdmd.  This may be a combination of problems, from selinux not being fixed to people not using the latest selinux updates, maybe other reasons?  Please see the attached grep avc from /var/log/messages.

The machine is running 6.3.z with
selinux-policy-3.7.19-155.el6_3.4.noarch
Comment 31 Daniel Walsh 2012-11-14 18:29:34 UTC 
We have this rule in Fedora 18.
Comment 34 errata-xmlrpc 2013-02-21 08:35:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html