Bug 859338

Summary: pulse fails to start IPVS sync daemon
Product: Red Hat Enterprise Linux 5 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.9CC: dwalsh, mmalik, rohara
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-335.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 858784 Environment:
Last Closed: 2013-01-08 03:34:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 858784    
Bug Blocks:    

Description Milos Malik 2012-09-21 08:12:31 UTC 
When SELinux is enforcing, pulse fails to start the IPVS sync daemon at startup. If SELinux is in permissive mode, the sync daemon is started by pulse as expected.

# rpm -qa | grep -e selinux-policy -e ipvsadm | sort
ipvsadm-1.24-13.el5
selinux-policy-2.4.6-334.el5
selinux-policy-minimum-2.4.6-334.el5
selinux-policy-devel-2.4.6-334.el5
selinux-policy-mls-2.4.6-334.el5
selinux-policy-targeted-2.4.6-334.el5
selinux-policy-strict-2.4.6-334.el5

1. Check that selinux is in enforcing mode:
# getenforce 
Enforcing

2. Check that sync daemon is enabled:
# grep sync /etc/sysconfig/ha/lvs.cf
syncdaemon = 1

3. Start pulse:
# service pulse start
Starting pulse:                                            [  OK  ]

4. Check if sync daemon is running:
# ipvsadm --list --daemon

We expect to see this command print "master sync daemon (mcast=eth0, syncid=0)". If the sync daemon is enabled (syncdaemon = 1), pulse will fork and exec the ipvsadm command to start the sync daemon. Looking at the audit.log shows some AVC denials. If SELinux is set to permissive mode and the test is repeated, the sync daemon is started as expected.

# setenforce 0
# getenforce 
Permissive

# service pulse start
Starting pulse:                                            [  OK  ]

# ipvsadm --list --daemon
master sync daemon (mcast=eth0, syncid=0)
#

Following AVC appears in enforcing mode:
----
type=PATH msg=audit(09/21/2012 10:02:52.384:203) : item=0 name=/sbin/ipvsadm inode=131250 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 
type=CWD msg=audit(09/21/2012 10:02:52.384:203) :  cwd=/ 
type=SYSCALL msg=audit(09/21/2012 10:02:52.384:203) : arch=i386 syscall=execve success=no exit=-13(Permission denied) a0=8e36008 a1=bf9ece9c a2=bf9ed72c a3=40000003 items=1 ppid=6478 pid=6485 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=pulse exe=/usr/sbin/pulse subj=root:system_r:piranha_pulse_t:s0 key=(null) 
type=AVC msg=audit(09/21/2012 10:02:52.384:203) : avc:  denied  { execute } for  pid=6485 comm=pulse name=ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file 
----
Comment 1 Milos Malik 2012-09-21 08:16:43 UTC 
Following AVCs appear in permissive mode:
----
type=SOCKETCALL msg=audit(09/21/2012 10:14:35.417:224) : nargs=3 a0=2 a1=3 a2=ff 
type=SYSCALL msg=audit(09/21/2012 10:14:35.417:224) : arch=i386 syscall=socketcall(socket) success=yes exit=3 a0=1 a1=bfa7d2e0 a2=3 a3=bfa7d404 items=0 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) 
type=AVC msg=audit(09/21/2012 10:14:35.417:224) : avc:  denied  { net_raw } for  pid=8417 comm=ipvsadm capability=net_raw scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=capability 
type=AVC msg=audit(09/21/2012 10:14:35.417:224) : avc:  denied  { create } for  pid=8417 comm=ipvsadm scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=rawip_socket 
----
type=PATH msg=audit(09/21/2012 10:14:35.413:223) : item=1 name=(null) inode=561338 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(09/21/2012 10:14:35.413:223) : item=0 name=/sbin/ipvsadm inode=131250 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 
type=CWD msg=audit(09/21/2012 10:14:35.413:223) :  cwd=/ 
type=EXECVE msg=audit(09/21/2012 10:14:35.413:223) : argc=3 a0=/sbin/ipvsadm a1=--stop-daemon a2=backup 
type=SYSCALL msg=audit(09/21/2012 10:14:35.413:223) : arch=i386 syscall=execve success=yes exit=0 a0=824d008 a1=bfa6e31c a2=bfa6ebac a3=40000003 items=2 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) 
type=AVC msg=audit(09/21/2012 10:14:35.413:223) : avc:  denied  { read } for  pid=8417 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file 
type=AVC msg=audit(09/21/2012 10:14:35.413:223) : avc:  denied  { execute_no_trans } for  pid=8417 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file 
type=AVC msg=audit(09/21/2012 10:14:35.413:223) : avc:  denied  { execute } for  pid=8417 comm=pulse name=ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file 
----
type=SOCKETCALL msg=audit(09/21/2012 10:14:35.417:225) : nargs=5 a0=3 a1=0 a2=481 a3=804fc64 a4=bfa7d304 
type=SYSCALL msg=audit(09/21/2012 10:14:35.417:225) : arch=i386 syscall=socketcall(getsockopt) success=yes exit=0 a0=f a1=bfa7d2e0 a2=3 a3=bfa7d404 items=0 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) 
type=AVC msg=audit(09/21/2012 10:14:35.417:225) : avc:  denied  { getopt } for  pid=8417 comm=ipvsadm lport=255 scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=rawip_socket 
----
type=SOCKETCALL msg=audit(09/21/2012 10:14:35.417:226) : nargs=5 a0=3 a1=0 a2=48c a3=bfa7d2d4 a4=18 
type=SYSCALL msg=audit(09/21/2012 10:14:35.417:226) : arch=i386 syscall=socketcall(setsockopt) success=no exit=-3(No such process) a0=e a1=bfa7cd40 a2=15 a3=804e467 items=0 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) 
type=AVC msg=audit(09/21/2012 10:14:35.417:226) : avc:  denied  { setopt } for  pid=8417 comm=ipvsadm lport=255 scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=rawip_socket 
----
type=PATH msg=audit(09/21/2012 10:14:38.030:227) : item=1 name=(null) inode=561338 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(09/21/2012 10:14:38.030:227) : item=0 name=/sbin/ipvsadm inode=131250 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 
type=CWD msg=audit(09/21/2012 10:14:38.030:227) :  cwd=/ 
type=EXECVE msg=audit(09/21/2012 10:14:38.030:227) : argc=3 a0=/sbin/ipvsadm a1=--stop-daemon a2=backup 
type=SYSCALL msg=audit(09/21/2012 10:14:38.030:227) : arch=i386 syscall=execve success=yes exit=0 a0=824d008 a1=bfa6e2dc a2=bfa6ebac a3=40000003 items=2 ppid=8416 pid=8475 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) 
type=AVC msg=audit(09/21/2012 10:14:38.030:227) : avc:  denied  { read } for  pid=8475 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file 
type=AVC msg=audit(09/21/2012 10:14:38.030:227) : avc:  denied  { execute_no_trans } for  pid=8475 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file 
type=AVC msg=audit(09/21/2012 10:14:38.030:227) : avc:  denied  { execute } for  pid=8475 comm=pulse name=ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file 
----
Comment 2 RHEL Program Management 2012-09-21 08:18:42 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Miroslav Grepl 2012-09-21 09:36:06 UTC 
We will need to add iptables_domtrans() in RHEL5 and probably another rules.


Milos,
could you test it with 

iptables_domtrans()

in the local policy. Thank you.
Comment 4 Milos Malik 2012-09-21 14:36:12 UTC 
When following policy module is enabled then no AVCs appear.

policy_module(mypol, 1.0)

require{
  type piranha_pulse_t;
}

iptables_domtrans(piranha_pulse_t)
Comment 8 errata-xmlrpc 2013-01-08 03:34:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html