Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Created attachment 1014417[details]
logs
Description of problem:
Sanlock constantly get denied from reading data on block storage domains which are based on rhel7.0 hosts, because of a false link file denial:
found 1 alert in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/sanlock from read access on the lnk_file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that sanlock should be allowed read access on the lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sanlock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:sanlock_t:s0-s0:c0.c1023
Target Context system_u:object_r:sysfs_t:s0
Target Objects [ lnk_file ]
Source sanlock
Source Path /usr/sbin/sanlock
Port <Unknown>
Host <Unknown>
Source RPM Packages sanlock-3.1.0-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.el7.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name purple-vds3.qa.lab.tlv.redhat.com
Platform Linux purple-vds3.qa.lab.tlv.redhat.com
3.10.0-123.el7.x86_64 #1 SMP Mon May 5 11:16:57
EDT 2014 x86_64 x86_64
Alert Count 5
First Seen 2015-04-14 16:25:52 IDT
Last Seen 2015-04-14 16:28:46 IDT
Local ID 1347ce97-a9bd-488f-bebc-d601ebe57670
Raw Audit Messages
type=AVC msg=audit(1429018126.571:4871): avc: denied { read } for pid=14833 comm="sanlock" name="253:36" dev="sysfs" ino=24553 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1429018126.571:4871): arch=x86_64 syscall=open success=no exit=EACCES a0=7fda178518b0 a1=80000 a2=16 a3=0 items=0 ppid=1 pid=14833 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
Hash: sanlock,sanlock_t,sysfs_t,lnk_file,read
see also sanlock.log errors:
2015-04-14 16:49:20+0300 12509 [13843]: s35 renewal error -5 delta_length 0 last_success 12477
2015-04-14 16:49:21+0300 12509 [14833]: 9afbb82a aio collect 0 0x7fda000008c0:0x7fda000008d0:0x7fda14043000 result -5:0 match res
2015-04-14 16:49:21+0300 12509 [14833]: s37 delta_renew read rv -5 offset 0 /dev/9afbb82a-15bf-4a9d-9cf7-1a505f574d8c/ids
2015-04-14 16:49:21+0300 12509 [14833]: s37 renewal error -5 delta_length 0 last_success 12486
2015-04-14 16:49:21+0300 12510 [14833]: 9afbb82a aio collect 0 0x7fda000008c0:0x7fda000008d0:0x7fda14043000 result -5:0 match res
2015-04-14 16:49:21+0300 12510 [14833]: s37 delta_renew read rv -5 offset 0 /dev/9afbb82a-15bf-4a9d-9cf7-1a505f574d8c/ids
2015-04-14 16:49:21+0300 12510 [14833]: s37 renewal error -5 delta_length 0 last_success 12486
Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-153.el7.3.noarch
How reproducible:
100%
Steps to Reproduce:
- add a rhel7.0 to a datacenter with block storage
- or activate a block domain on a cluster which a rhel7.0 host is the SPM
Actual results:
Sanlock can't read metadata from domains which affects sanlock's behavior(offset, lock, etc)
Expected results:
Selinux shouldn't prevent sanlock from reaching the metadata
Additional info:
does not reproduce on rhel7.1 hypervisors!
(In reply to Milos Malik from comment #3)
> This bug is fixed in RHEL-7.1. Do you want to propose this bug for 7.0.z?
Yes please, it is also a very important back-port, the consequences of this bug is failing to use storage domains, let's say you have some hosts on a dc with rhel 7.1 that can use the domains, and some hosts with rhel 7.0.z that cannot, the rhel 7.0.z hosts will eventually become non-operational over a period of time.
(In reply to Milos Malik from comment #3)
> This bug is fixed in RHEL-7.1.
Milos, can you please add a reference to the RHEL 7.1 bug and the build that fixes it?
Thanks!
# audit2allow -i avc
#============= sanlock_t ==============
#!!!! This avc is allowed in the current policy
allow sanlock_t sysfs_t:lnk_file read;
# rpm -q selinux-policy
selinux-policy-3.13.1-33.el7.noarch
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2015-2300.html
Created attachment 1014417 [details] logs Description of problem: Sanlock constantly get denied from reading data on block storage domains which are based on rhel7.0 hosts, because of a false link file denial: found 1 alert in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/sanlock from read access on the lnk_file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sanlock should be allowed read access on the lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sanlock /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:sanlock_t:s0-s0:c0.c1023 Target Context system_u:object_r:sysfs_t:s0 Target Objects [ lnk_file ] Source sanlock Source Path /usr/sbin/sanlock Port <Unknown> Host <Unknown> Source RPM Packages sanlock-3.1.0-2.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.el7.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name purple-vds3.qa.lab.tlv.redhat.com Platform Linux purple-vds3.qa.lab.tlv.redhat.com 3.10.0-123.el7.x86_64 #1 SMP Mon May 5 11:16:57 EDT 2014 x86_64 x86_64 Alert Count 5 First Seen 2015-04-14 16:25:52 IDT Last Seen 2015-04-14 16:28:46 IDT Local ID 1347ce97-a9bd-488f-bebc-d601ebe57670 Raw Audit Messages type=AVC msg=audit(1429018126.571:4871): avc: denied { read } for pid=14833 comm="sanlock" name="253:36" dev="sysfs" ino=24553 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1429018126.571:4871): arch=x86_64 syscall=open success=no exit=EACCES a0=7fda178518b0 a1=80000 a2=16 a3=0 items=0 ppid=1 pid=14833 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) Hash: sanlock,sanlock_t,sysfs_t,lnk_file,read see also sanlock.log errors: 2015-04-14 16:49:20+0300 12509 [13843]: s35 renewal error -5 delta_length 0 last_success 12477 2015-04-14 16:49:21+0300 12509 [14833]: 9afbb82a aio collect 0 0x7fda000008c0:0x7fda000008d0:0x7fda14043000 result -5:0 match res 2015-04-14 16:49:21+0300 12509 [14833]: s37 delta_renew read rv -5 offset 0 /dev/9afbb82a-15bf-4a9d-9cf7-1a505f574d8c/ids 2015-04-14 16:49:21+0300 12509 [14833]: s37 renewal error -5 delta_length 0 last_success 12486 2015-04-14 16:49:21+0300 12510 [14833]: 9afbb82a aio collect 0 0x7fda000008c0:0x7fda000008d0:0x7fda14043000 result -5:0 match res 2015-04-14 16:49:21+0300 12510 [14833]: s37 delta_renew read rv -5 offset 0 /dev/9afbb82a-15bf-4a9d-9cf7-1a505f574d8c/ids 2015-04-14 16:49:21+0300 12510 [14833]: s37 renewal error -5 delta_length 0 last_success 12486 Version-Release number of selected component (if applicable): selinux-policy-3.12.1-153.el7.3.noarch How reproducible: 100% Steps to Reproduce: - add a rhel7.0 to a datacenter with block storage - or activate a block domain on a cluster which a rhel7.0 host is the SPM Actual results: Sanlock can't read metadata from domains which affects sanlock's behavior(offset, lock, etc) Expected results: Selinux shouldn't prevent sanlock from reaching the metadata Additional info: does not reproduce on rhel7.1 hypervisors!