Bug 924843

Summary: Various AVC denieds related to corosync policy for heartbeat
Product: Red Hat Enterprise Linux 6 Reporter: Robert Scheck <redhat-bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: high    
Version: 6.4CC: cphillip, dwalsh, ebenes, mgrepl, mmalik, mtruneck, robert.scheck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-208.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1003783 (view as bug list) Environment:
Last Closed: 2013-11-21 10:21:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 835616, 960054, 1003783    

Description Robert Scheck 2013-03-22 15:45:01 UTC 
Description of problem:
As per bug #836311 comment #30 this has been moved to this separate RHBZ:

type=AVC msg=audit(1363694647.207:432387): avc:  denied  { search } for  pid=32588 comm="mysqld_safe" name="root" dev=sda1 ino=1314605 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0
tclass=dir
type=SYSCALL msg=audit(1363694647.207:432387): arch=x86_64 syscall=stat success=no exit=EACCES a0=4a3b4b a1=7fff999df260 a2=7fff999df260 a3=39e5d37110 items=0 ppid=7112 pid=32588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld_safe exe=2F62696E2F62617368202864656C6574656429 subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

type=AVC msg=audit(1363694697.319:96081): avc:  denied  { search } for  pid=20910 comm="mysqld_safe" name="heartbeat" dev=sda1 ino=3153187 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1363694697.319:96081): arch=x86_64 syscall=stat success=no exit=EACCES a0=1c6fd80 a1=7fffd37a7940 a2=7fffd37a7940 a3=4 items=0 ppid=20878 pid=20910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld_safe exe=/bin/bash subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

type=AVC msg=audit(1363694697.836:96126): avc:  denied  { search } for  pid=21017 comm="mysqld" name="root" dev=sda1 ino=3153191 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1363694697.836:96126): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fff733d7860 a1=7fff733d47c0 a2=7fff733d47c0 a3=fffffffffffffffd items=0 ppid=20910 pid=21017 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null)

type=AVC msg=audit(1363623429.464:75833): avc:  denied  { search } for  pid=4148 comm="squid" name="root" dev=sda1 ino=394795 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir

type=SYSCALL msg=audit(1363623429.464:75833): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff5184dad0 a1=7fff5184ba30 a2=7fe12b610010 a3=7fff5184d840 items=0 ppid=4147 pid=4148 auid=4294967295 uid=0 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.3.noarch
selinux-policy-targeted-3.7.19-195.el6_4.3.noarch

How reproducible:
Everytime, heartbeat v1 setup as described in bug #836311 with latest SELinux
policy from RHEL 6.4.
  
Actual results:
Some AVC denied.

Expected results:
No AVC denieds.
Comment 1 Robert Scheck 2013-03-22 15:53:04 UTC 
This is cross-referenced with Red Hat customer portal, case 00668208
Comment 2 Miroslav Grepl 2013-03-25 09:59:26 UTC 
Robert,
does it only want to search these dirs?
Comment 3 Robert Scheck 2013-03-27 17:24:17 UTC 
Miroslav, how do I figure out this best? This is the only AVC denieds as it
seems at least. Suggestions how to track down? Try dontaudits, enforce and
see and try if it is as expected? Unfortunately nearly all of the affected
systems are productive...
Comment 4 Miroslav Grepl 2013-04-03 08:30:31 UTC 
Probably the best is make a domain as permissive domains.

# semanage permissive -a DOMAIN

re-test

# ausearch -m avc -ts recent
# semanage permissive -d DOMAIN


But actually no need in this case. I am adding fixes to Fedora and will back port them.
Comment 5 Robert Scheck 2013-04-16 19:05:20 UTC 
I think it would be enough to make them dontaudit, because it seems to work
fine how it is (enforced).
Comment 15 errata-xmlrpc 2013-11-21 10:21:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html