Hide Forgot
Description of problem: I installed recent rhel6.5 distro RHEL6.5-20131009.0 and configured LVS as described in https://bugzilla.redhat.com/show_bug.cgi?id=854454#c5 When I started pulse daemon it failed to initialize due to SELinux denials. The daemon started successfully when I set permissive mode of SELinux. I guess the policy should be updated to have daemon working properly. I've set the bug severity to urgent since this is probably a regression and should be fixed before 6.5 gets released. Version-Release number of selected component (if applicable): [root@localhost ~]# rpm -qa selinux-policy selinux-policy-3.7.19-222.el6.noarch [root@localhost ~]# rpm -qa selinux-policy-targeted selinux-policy-targeted-3.7.19-222.el6.noarch How reproducible: 100% Steps to Reproduce: 1. setup lvs primary router in nat mode (I think the mode does not matter) 2. /sbin/service pulse start 3. observe denials in /var/log/audit/audit.log Actual results: avc denials and pulse cannot properly start type=AVC msg=audit(1381506961.843:274): avc: denied { search } for pid=9283 comm="pulse" name="/" dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1381506961.843:274): arch=c000003e syscall=2 success=no exit=-13 a0=7ffff8916190 a1=20002 a2=0 a3=7ffff8915f10 items=0 ppid=1 pid=9283 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(1381506961.843:275): avc: denied { search } for pid=9283 comm="pulse" name="/" dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1381506961.843:275): arch=c000003e syscall=87 success=no exit=-13 a0=7ffff8916230 a1=40dce0 a2=0 a3=7ffff8915fb0 items=0 ppid=1 pid=9283 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null) Expected results: pulse daemon starts succesfully Additional info:
This is a new issue from SELinux point of view in RHEL6.5. We allow it in Fedora. If you add a local policy, does it work then?
Hi, so I tried to add a local policy that turned into a lot of rules required. Here are the policy modules I used that made pulse daemon started succesfully: module selinux_pulse_bug-10 1.0; require { type piranha_pulse_t; type piranha_lvs_t; class process sigkill; } #============= piranha_pulse_t ============== allow piranha_pulse_t piranha_lvs_t:process sigkill; module selinux_pulse_bug-11 1.0; require { type tmpfs_t; type piranha_lvs_t; class filesystem getattr; } #============= piranha_lvs_t ============== allow piranha_lvs_t tmpfs_t:filesystem getattr; module selinux_pulse_bug-12 1.0; require { type tmpfs_t; type piranha_lvs_t; class dir search; } #============= piranha_lvs_t ============== allow piranha_lvs_t tmpfs_t:dir search; module selinux_pulse_bug-13 1.0; require { type tmpfs_t; type piranha_lvs_t; class file { read write }; } #============= piranha_lvs_t ============== allow piranha_lvs_t tmpfs_t:file { read write }; module selinux_pulse_bug-14 1.0; require { type tmpfs_t; type piranha_lvs_t; class file open; class dir write; } #============= piranha_lvs_t ============== #!!!! The source type 'piranha_lvs_t' can write to a 'dir' of the following types: # piranha_lvs_var_run_t, var_run_t, root_t allow piranha_lvs_t tmpfs_t:dir write; allow piranha_lvs_t tmpfs_t:file open; module selinux_pulse_bug-15 1.0; require { type tmpfs_t; type piranha_lvs_t; class file getattr; class dir remove_name; } #============= piranha_lvs_t ============== allow piranha_lvs_t tmpfs_t:dir remove_name; allow piranha_lvs_t tmpfs_t:file getattr; module selinux_pulse_bug-16 1.0; require { type tmpfs_t; type piranha_lvs_t; class file unlink; } #============= piranha_lvs_t ============== allow piranha_lvs_t tmpfs_t:file unlink; module selinux_pulse_bug-2 1.0; require { type tmpfs_t; type piranha_pulse_t; class dir write; } #============= piranha_pulse_t ============== #!!!! The source type 'piranha_pulse_t' can write to a 'dir' of the following types: # samba_var_t, piranha_pulse_var_run_t, var_run_t, root_t allow piranha_pulse_t tmpfs_t:dir write; module selinux_pulse_bug-3 1.0; require { type tmpfs_t; type piranha_pulse_t; class dir add_name; } #============= piranha_pulse_t ============== allow piranha_pulse_t tmpfs_t:dir add_name; module selinux_pulse_bug-4 1.0; require { type tmpfs_t; type piranha_pulse_t; class file create; } #============= piranha_pulse_t ============== allow piranha_pulse_t tmpfs_t:file create; module selinux_pulse_bug-5 1.0; require { type tmpfs_t; type piranha_pulse_t; class file { read write open }; } #============= piranha_pulse_t ============== #!!!! The source type 'piranha_pulse_t' can write to a 'file' of the following types: # samba_etc_t, samba_var_t, sysctl_rpc_t, piranha_pulse_var_run_t, root_t allow piranha_pulse_t tmpfs_t:file { read write open }; module selinux_pulse_bug-6 1.0; require { type tmpfs_t; type piranha_pulse_t; class dir remove_name; } #============= piranha_pulse_t ============== allow piranha_pulse_t tmpfs_t:dir remove_name; module selinux_pulse_bug-7 1.0; require { type tmpfs_t; type piranha_pulse_t; class file unlink; } #============= piranha_pulse_t ============== allow piranha_pulse_t tmpfs_t:file unlink; module selinux_pulse_bug-8 1.0; require { type tmpfs_t; type piranha_pulse_t; class file link; } #============= piranha_pulse_t ============== allow piranha_pulse_t tmpfs_t:file link; module selinux_pulse_bug-9 1.0; require { type tmpfs_t; type piranha_pulse_t; class file getattr; } #============= piranha_pulse_t ============== allow piranha_pulse_t tmpfs_t:file getattr; module selinux_pulse_bug 1.0; require { type tmpfs_t; type piranha_pulse_t; class dir search; } #============= piranha_pulse_t ============== allow piranha_pulse_t tmpfs_t:dir search;
Ok, now it is more complicated. Any idea who creates this tmpfs_t? Could you pls attach AVC msgs and also # ps -eZ |grep initrc
Actually I see it now. Could you test the following local policy # cat mypol.te require{ attribute piranha_domain; } type piranha_pulse_tmpfs_t; files_tmpfs_file(piranha_pulse_tmpfs_t) manage_dirs_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t, piranha_pulse_tmpfs_t) manage_files_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t, piranha_pulse_tmpfs_t) fs_tmpfs_filetrans(piranha_pulse_t, piranha_pulse_tmpfs_t, { dir file }) manage_files_pattern(piranha_domain, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) manage_dirs_pattern(piranha_domain, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) and # make -f /usr/share/selinux/devel/Makefile mypol.pp # semodule -i mypol.pp and also remove your local policies.
(In reply to Miroslav Grepl from comment #5) > Actually I see it now. Could you test the following local policy > > > # cat mypol.te > require{ > attribute piranha_domain; > } > > type piranha_pulse_tmpfs_t; > files_tmpfs_file(piranha_pulse_tmpfs_t) > > manage_dirs_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t, > piranha_pulse_tmpfs_t) > manage_files_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t, > piranha_pulse_tmpfs_t) > fs_tmpfs_filetrans(piranha_pulse_t, piranha_pulse_tmpfs_t, { dir file }) > > manage_files_pattern(piranha_domain, > piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) > manage_dirs_pattern(piranha_domain, > piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) > > > and > > # make -f /usr/share/selinux/devel/Makefile mypol.pp > # semodule -i mypol.pp > > and also remove your local policies. Moved a bit but still I got some denials. I had to slightly modify the policy file you've provided: # cat mypol.te policy_module(local, 0.0.1) <==== require { attribute piranha_domain; type piranha_pulse_t; <==== } type piranha_pulse_tmpfs_t; files_tmpfs_file(piranha_pulse_tmpfs_t) manage_dirs_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t, piranha_pulse_tmpfs_t) manage_files_pattern(piranha_pulse_t, piranha_pulse_tmpfs_t, piranha_pulse_tmpfs_t) fs_tmpfs_filetrans(piranha_pulse_t, piranha_pulse_tmpfs_t, { dir file }) manage_files_pattern(piranha_domain, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) manage_dirs_pattern(piranha_domain, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) The denials I see are following: type=SYSCALL msg=audit(1381848896.993:98): arch=c000003e syscall=1 success=yes exit=7283063 a0=4 a1=7f42b209c000 a2=6f2177 a3=7fff4a9a99e0 items=0 ppid=2668 pid=2669 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1381848930.471:99): avc: denied { getattr } for pid=2705 comm="lvsd" name="/" dev=tmpfs ino=5298 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1381848930.471:99): arch=c000003e syscall=137 success=no exit=-13 a0=7f5cde5b7744 a1=7fff01ecd850 a2=1 a3=7fff01ecd3c0 items=0 ppid=2694 pid=2705 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null) type=AVC msg=audit(1381848930.476:100): avc: denied { getattr } for pid=2705 comm="lvsd" name="/" dev=tmpfs ino=5298 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1381848930.476:100): arch=c000003e syscall=137 success=no exit=-13 a0=7fff01ecd656 a1=7fff01ecd850 a2=7f5cde14c240 a3=3 items=0 ppid=2694 pid=2705 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null) type=AVC msg=audit(1381848930.502:101): avc: denied { sigkill } for pid=2694 comm="pulse" scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=unconfined_u:system_r:piranha_lvs_t:s0 tclass=process type=SYSCALL msg=audit(1381848930.502:101): arch=c000003e syscall=62 success=no exit=-13 a0=a91 a1=9 a2=0 a3=7fffc9bb0ed0 items=0 ppid=1 pid=2694 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null)
Much better. And if you allow these AVC msgs, does it work then?
(In reply to Miroslav Grepl from comment #7) > Much better. And if you allow these AVC msgs, does it work then? I think this leads to the policies described in comment #3. Allowing the AVCs in comment #6 leads to more: type=AVC msg=audit(10/15/2013 17:36:51.145:18) : avc: denied { search } for pid=1841 comm=lvsd name=/ dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir ---- type=AVC msg=audit(10/15/2013 17:36:51.144:17) : avc: denied { search } for pid=1841 comm=lvsd name=/ dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir Allowing these leads to following: type=AVC msg=audit(10/15/2013 17:40:58.601:20) : avc: denied { write } for pid=1894 comm=lvsd name=/ dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir Allowing this one produces: type=AVC msg=audit(10/15/2013 17:43:10.482:22) : avc: denied { remove_name } for pid=1972 comm=lvsd name=sem.lvs dev=tmpfs ino=20212 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir Once all of the above are allowed I see no further AVCs.
Ok, thank you for testing.
Still got some denials after upgrading to selinux-policy-3.7.19-225.el6 On pulse startup: type=AVC msg=audit(1381925968.124:24): avc: denied { sigkill } for pid=1278 comm="pulse" scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=unconfined_u:system_r:piranha_lvs_t:s0 tclass=process type=SYSCALL msg=audit(1381925968.124:24): arch=c000003e syscall=62 success=no exit=-13 a0=505 a1=9 a2=0 a3=7fff46510d30 items=0 ppid=1 pid=1278 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null) On getting back the mastership: type=AVC msg=audit(1381926145.743:26): avc: denied { getattr } for pid=1328 comm="lvsd" name="/" dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1381926145.743:26): arch=c000003e syscall=137 success=no exit=-13 a0=7ffff11d18c6 a1=7ffff11d1ac0 a2=7fa2cb2ef240 a3=3 items=0 ppid=1322 pid=1328 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null) type=AVC msg=audit(1381926145.750:27): avc: denied { sigkill } for pid=1322 comm="pulse" scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=unconfined_u:system_r:piranha_lvs_t:s0 tclass=process type=SYSCALL msg=audit(1381926145.750:27): arch=c000003e syscall=62 success=no exit=-13 a0=530 a1=9 a2=0 a3=7fff673fb880 items=0 ppid=1 pid=1322 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(1381926403.009:29): avc: denied { search } for pid=1376 comm="lvsd" name="/" dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1381926403.009:29): arch=c000003e syscall=2 success=no exit=-13 a0=7fff2e66fb10 a1=20002 a2=0 a3=7fff2e66f890 items=0 ppid=1370 pid=1376 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null) type=AVC msg=audit(1381927188.129:37): avc: denied { write } for pid=1508 comm="lvsd" name="/" dev=tmpfs ino=5430 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1381927188.129:37): arch=c000003e syscall=87 success=no exit=-13 a0=7fff0eb10bd0 a1=40b032 a2=0 a3=7fff0eb10950 items=0 ppid=1502 pid=1508 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null) type=AVC msg=audit(1381927765.733:41): avc: denied { remove_name } for pid=1936 comm="lvsd" name="sem.lvs" dev=tmpfs ino=26354 scontext=unconfined_u:system_r:piranha_lvs_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1381927765.733:41): arch=c000003e syscall=87 success=no exit=-13 a0=7fff955504e0 a1=40b032 a2=0 a3=7fff95550260 items=0 ppid=1930 pid=1936 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lvsd" exe="/usr/sbin/lvsd" subj=unconfined_u:system_r:piranha_lvs_t:s0 key=(null) So the overall policy I came to is: # cat mypol.te module mypol 1.0; require { type tmpfs_t; type piranha_lvs_t; type piranha_pulse_t; class process sigkill; class dir { write remove_name search }; class filesystem getattr; } #============= piranha_lvs_t ============== #!!!! The source type 'piranha_lvs_t' can write to a 'dir' of the following types: # piranha_lvs_var_run_t, piranha_pulse_tmpfs_t, var_run_t, root_t allow piranha_lvs_t tmpfs_t:dir { write remove_name search }; allow piranha_lvs_t tmpfs_t:filesystem getattr; #============= piranha_pulse_t ============== allow piranha_pulse_t piranha_lvs_t:process sigkill;
I see #============= piranha_lvs_t ============== #!!!! This avc is allowed in the current policy allow piranha_lvs_t tmpfs_t:dir { write remove_name search }; #!!!! This avc is allowed in the current policy allow piranha_lvs_t tmpfs_t:filesystem getattr; #============= piranha_pulse_t ============== #!!!! This avc is allowed in the current policy allow piranha_pulse_t piranha_lvs_t:process sigkill; # rpm -qa selinux-policy-* selinux-policy-minimum-3.7.19-225.el6.noarch selinux-policy-mls-3.7.19-225.el6.noarch selinux-policy-doc-3.7.19-218.el6.noarch selinux-policy-targeted-3.7.19-225.el6.noarch
I'm sorry for the confusion I made. My update of selinux-policy was not completely successful and conflicted with the previous one. After the correction the updated package solved the pulse daemon startup. Tested on: # rpm -qa selinux-\* selinux-policy-3.7.19-225.el6.noarch selinux-policy-targeted-3.7.19-225.el6.noarch Setting to verified and removing FailedQA flag.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html