1211697 – [Sanlock][RHEL7.0] Sanlock's attempts to read metadata from vdsm's block storage get denied by selinux

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1211697 - [Sanlock][RHEL7.0] Sanlock's attempts to read metadata from vdsm's block storage get denied by selinux

Summary: [Sanlock][RHEL7.0] Sanlock's attempts to read metadata from vdsm's block stor...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:	sanlock
Depends On:
Blocks:	1211965
TreeView+	depends on / blocked

Reported:	2015-04-14 15:52 UTC by Ori Gofen
Modified:	2016-05-26 01:49 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.13.1-33.el7.noarch
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1211965 (view as bug list)
Environment:
Last Closed:	2015-11-19 10:31:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
logs (1.92 MB, application/x-gzip) 2015-04-14 15:52 UTC, Ori Gofen	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Ori Gofen 2015-04-14 15:52:27 UTC

Created attachment 1014417 [details]
logs

Description of problem:

Sanlock constantly get denied from reading data on block storage domains which are based on rhel7.0 hosts, because of a false link file denial:


found 1 alert in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/sanlock from read access on the lnk_file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sanlock should be allowed read access on the  lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sanlock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sanlock_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                 [ lnk_file ]
Source                        sanlock
Source Path                   /usr/sbin/sanlock
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           sanlock-3.1.0-2.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.12.1-153.el7.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     purple-vds3.qa.lab.tlv.redhat.com
Platform                      Linux purple-vds3.qa.lab.tlv.redhat.com
                              3.10.0-123.el7.x86_64 #1 SMP Mon May 5 11:16:57
                              EDT 2014 x86_64 x86_64
Alert Count                   5
First Seen                    2015-04-14 16:25:52 IDT
Last Seen                     2015-04-14 16:28:46 IDT
Local ID                      1347ce97-a9bd-488f-bebc-d601ebe57670

Raw Audit Messages
type=AVC msg=audit(1429018126.571:4871): avc:  denied  { read } for  pid=14833 comm="sanlock" name="253:36" dev="sysfs" ino=24553 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1429018126.571:4871): arch=x86_64 syscall=open success=no exit=EACCES a0=7fda178518b0 a1=80000 a2=16 a3=0 items=0 ppid=1 pid=14833 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)

Hash: sanlock,sanlock_t,sysfs_t,lnk_file,read

see also sanlock.log errors:
2015-04-14 16:49:20+0300 12509 [13843]: s35 renewal error -5 delta_length 0 last_success 12477
2015-04-14 16:49:21+0300 12509 [14833]: 9afbb82a aio collect 0 0x7fda000008c0:0x7fda000008d0:0x7fda14043000 result -5:0 match res
2015-04-14 16:49:21+0300 12509 [14833]: s37 delta_renew read rv -5 offset 0 /dev/9afbb82a-15bf-4a9d-9cf7-1a505f574d8c/ids
2015-04-14 16:49:21+0300 12509 [14833]: s37 renewal error -5 delta_length 0 last_success 12486
2015-04-14 16:49:21+0300 12510 [14833]: 9afbb82a aio collect 0 0x7fda000008c0:0x7fda000008d0:0x7fda14043000 result -5:0 match res
2015-04-14 16:49:21+0300 12510 [14833]: s37 delta_renew read rv -5 offset 0 /dev/9afbb82a-15bf-4a9d-9cf7-1a505f574d8c/ids
2015-04-14 16:49:21+0300 12510 [14833]: s37 renewal error -5 delta_length 0 last_success 12486

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-153.el7.3.noarch

How reproducible:
100%

Steps to Reproduce:
- add a rhel7.0 to a datacenter with block storage
- or activate a block domain on a cluster which a rhel7.0 host is the SPM


Actual results:
Sanlock can't read metadata from domains which affects sanlock's  behavior(offset, lock, etc)

Expected results:
Selinux shouldn't prevent sanlock from reaching the metadata

Additional info:
does not reproduce on rhel7.1 hypervisors!

Comment 3 Milos Malik 2015-04-15 06:52:47 UTC

This bug is fixed in RHEL-7.1. Do you want to propose this bug for 7.0.z?

Comment 4 Ori Gofen 2015-04-15 09:45:48 UTC

(In reply to Milos Malik from comment #3)
> This bug is fixed in RHEL-7.1. Do you want to propose this bug for 7.0.z?

Yes please, it is also a very important back-port, the consequences of this bug is failing to use storage domains, let's say you have some hosts on a dc with rhel 7.1 that can use the domains, and some hosts with rhel 7.0.z  that cannot, the rhel 7.0.z hosts will eventually become non-operational over a period of time.

Comment 5 Milos Malik 2015-04-16 07:13:21 UTC

I'm nor able propose the bug for RHEL-7.0.z. Please ask you PM to do that.

Comment 7 Allon Mureinik 2015-04-19 16:29:28 UTC

(In reply to Milos Malik from comment #3)
> This bug is fixed in RHEL-7.1. 
Milos, can you please add a reference to the RHEL 7.1 bug and the build that fixes it?
Thanks!

Comment 8 Milos Malik 2015-04-20 05:56:45 UTC

Here is the RHEL-7.1 bug: BZ#1152538.

Comment 9 Allon Mureinik 2015-04-20 10:51:12 UTC

Awesome, thanks Milos!

Returning the needinfo on Bronce for the request in comment 6.

Comment 16 Lukas Vrabec 2015-08-04 14:51:45 UTC

# audit2allow -i avc 


#============= sanlock_t ==============

#!!!! This avc is allowed in the current policy
allow sanlock_t sysfs_t:lnk_file read;

# rpm -q selinux-policy
selinux-policy-3.13.1-33.el7.noarch

Comment 20 errata-xmlrpc 2015-11-19 10:31:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.