1215637 – [SELinux] [RHGS-3.1] AVC's of all the executable hooks under /var/lib/glusterd/hooks/ on RHEL-6.7

Bug 1215637 - [SELinux] [RHGS-3.1] AVC's of all the executable hooks under /var/lib/glusterd/hooks/ on RHEL-6.7

Summary: [SELinux] [RHGS-3.1] AVC's of all the executable hooks under /var/lib/gluster...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	glusterfs
Sub Component:
Version:	rhgs-3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	RHGS 3.1.0
Assignee:	Anand Nekkunti
QA Contact:	surabhi
Docs Contact:
URL:
Whiteboard:	SELinux
Duplicates (2):	1217198 1232217 (view as bug list)
Depends On:	1215632
Blocks:	1202842 1212796
TreeView+	depends on / blocked

Reported:	2015-04-27 11:20 UTC by Prasanth
Modified:	2015-07-29 04:42 UTC (History)
CC List:	13 users (show)
Fixed In Version:	selinux-policy-3.7.19-278.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-29 04:42:10 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1495	0	normal	SHIPPED_LIVE	Important: Red Hat Gluster Storage 3.1 update	2015-07-29 08:26:26 UTC

Description Prasanth 2015-04-27 11:20:04 UTC

Description of problem:

SELinux is preventing /bin/bash from using the signal access on a process

See AVC messages from /var/log/audit/audit.log below:

######
type=AVC msg=audit(1429776701.631:1186): avc:  denied  { execute } for  pid=9815 comm="S30samba-stop.s" name="smbd" dev=dm-0 ino=152897 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1429776701.631:1186): arch=c000003e syscall=21 success=yes exit=0 a0=fe9ae0 a1=1 a2=0 a3=f items=0 ppid=9814 pid=9815 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="S30samba-stop.s" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1429776701.633:1187): avc:  denied  { execute_no_trans } for  pid=9815 comm="S30samba-stop.s" path="/usr/sbin/smbd" dev=dm-0 ino=152897 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file
type=AVC msg=audit(1429776701.954:1189): avc:  denied  { signal } for  pid=9812 comm="S30samba-stop.s" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:smbd_t:s0 tclass=process
type=SYSCALL msg=audit(1429776701.954:1189): arch=c000003e syscall=62 success=yes exit=0 a0=c7c a1=1 a2=0 a3=c7c items=0 ppid=3810 pid=9812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="S30samba-stop.s" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
######


Version-Release number of selected component (if applicable):
#####
glusterfs-fuse-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-cli-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-server-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-libs-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-api-3.7dev-0.1009.git8b987be.el6.x86_64
samba-vfs-glusterfs-4.1.17-4.el6rhs.x86_64
#####

How reproducible: Always


Steps to Reproduce:
1. Install the RHEL6 glusterfs 3.7 nightly builds from http://download.gluster.org/pub/gluster/glusterfs/nightly/glusterfs-3.7/epel-6-x86_64/
2. Create a volume and start it
3. Check for the AVC's in /var/log/audit/audit.log
.

Actual results: Above mentioned AVC is seen in the logs.


Expected results: If you believe that bash should be allowed signal access on processes labeled smbd_t by default, please consider fixing it.

Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information: 


Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Anand Nekkunti 2015-05-19 10:17:13 UTC

This problem is related to samba not glusterd , samba needs selinux permission to execute commands in /bin/. Selinix rules need to modify for that.

Comment 2 Prasanth 2015-06-19 06:49:54 UTC

While disabling cluster.enable-shared-storage, saw logs messages 
========================================================
un 16 14:41:40 darkknightrises setroubleshoot: SELinux is preventing /usr/bin/python from execute access on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py. For complete SELinux messages. run sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4



Version-Release number of selected component (if applicable):

[root@darkknightrises ~]# rpm -qa  | grep glusterfs
glusterfs-3.7.1-3.el6rhs.x86_64
glusterfs-cli-3.7.1-3.el6rhs.x86_64
glusterfs-libs-3.7.1-3.el6rhs.x86_64
glusterfs-client-xlators-3.7.1-3.el6rhs.x86_64
glusterfs-fuse-3.7.1-3.el6rhs.x86_64
glusterfs-server-3.7.1-3.el6rhs.x86_64
glusterfs-debuginfo-3.7.1-3.el6rhs.x86_64
samba-vfs-glusterfs-4.1.17-4.el6rhs.x86_64
glusterfs-api-3.7.1-3.el6rhs.x86_64
glusterfs-geo-replication-3.7.1-3.el6rhs.x86_64



Selinux Version:
===============================
[root@darkknightrises ~]# rpm -qa |grep selinux
selinux-policy-targeted-3.7.19-276.el6.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-276.el6.noarch
libselinux-python-2.0.94-5.8.el6.x86_64


How reproducible:


Steps to Reproduce:
1. Create 2*2 distribute-replicate volume
2. gluster vol set all audit.logcluster.enable-shared-storage enable
3. gluster vol set all audit.logcluster.enable-shared-storage disable

Actual results:

ss on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py. For complete SELinux messages. run sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4
Jun 16 14:41:40 darkknightrises setroubleshoot: SELinux is preventing /usr/bin/python from execute access on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py. For complete SELinux messages. run sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4
===================================================

[root@darkknightrises ~]# sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4
SELinux is preventing /usr/bin/python from execute access on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore python trying to execute access the S57glusterfind-delete-post.py file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/python /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that python should be allowed execute access on the S57glusterfind-delete-post.py file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep S57glusterfind- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:glusterd_t:s0
Target Context                system_u:object_r:glusterd_var_lib_t:s0
Target Objects                /var/lib/glusterd/hooks/1/delete/post
                              /S57glusterfind-delete-post.py [ file ]
Source                        S57glusterfind-
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          darkknightrises
Source RPM Packages           python-2.6.6-64.el6.x86_64
Target RPM Packages           glusterfs-server-3.7.1-3.el6rhs.x86_64
Policy RPM                    selinux-policy-3.7.19-276.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     darkknightrises
Platform                      Linux darkknightrises 2.6.32-565.el6.x86_64 #1 SMP
                              Tue Jun 2 14:53:05 EDT 2015 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 16 Jun 2015 02:41:35 PM IST
Last Seen                     Tue 16 Jun 2015 02:41:35 PM IST
Local ID                      013c2865-34ab-4e95-a530-cb114d895ce4

Raw Audit Messages
type=AVC msg=audit(1434445895.917:8072): avc:  denied  { execute } for  pid=16463 comm="glusterd" name="S57glusterfind-delete-post.py" dev=dm-0 ino=1573216 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file


type=AVC msg=audit(1434445895.917:8072): avc:  denied  { execute_no_trans } for  pid=16463 comm="glusterd" path="/var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py" dev=dm-0 ino=1573216 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1434445895.917:8072): arch=x86_64 syscall=execve success=yes exit=0 a0=7fb628008d90 a1=7fb628008b40 a2=7fb645e9b060 a3=8 items=0 ppid=13437 pid=16463 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm=S57glusterfind- exe=/usr/bin/python subj=unconfined_u:system_r:glusterd_t:s0 key=(null)

Hash: S57glusterfind-,glusterd_t,glusterd_var_lib_t,file,execute

audit2allow

#============= glusterd_t ==============
allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans };

audit2allow -R

#============= glusterd_t ==============
allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans };
======================================================

Audit logs:
======================================

type=SYSCALL msg=audit(1434437797.854:7177): arch=c000003e syscall=42 success=no exit=-115 a0=27 a1=7fd9a89ff0a8 a2=10 a3=0 items=0 ppid=14611 pid=15129 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1434437798.038:7178): avc:  denied  { name_bind } for  pid=15140 comm="smbd" src=990 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1434437798.038:7178): arch=c000003e syscall=49 success=no exit=-98 a0=38 a1=7fd9b10ec150 a2=10 a3=4a items=0 ppid=14611 pid=15140 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1434437798.044:7179): avc:  denied  { name_bind } for  pid=15141 comm="smbd" src=995 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1434437798.044:7179): arch=c000003e syscall=49 success=no exit=-98 a0=39 a1=7fd9b115c640 a2=10 a3=4a items=0 ppid=14611 pid=15141 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)


=====================================
type=AVC msg=audit(1434448984.506:7950): avc:  denied  { execute } for  pid=12278 comm="glusterd" name="S57glusterfind-delete-post.py" dev=dm-2 ino=17433095 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file

Comment 3 Prasanth 2015-06-19 06:50:55 UTC

*** Bug 1232217 has been marked as a duplicate of this bug. ***

Comment 4 Prasanth 2015-06-19 06:54:07 UTC

<snip>

time->Tue Apr 28 11:35:30 2015
type=SYSCALL msg=audit(1430220930.760:245): arch=c000003e syscall=59 success=no exit=-8 a0=7f25d0008cb0 a1=7f25d0008a60 a2=c5ef10 a3=8 items=0 ppid=29524 pid=4082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glusterd" exe="/usr/sbin/glusterfsd" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1430220930.760:245): avc:  denied  { execute_no_trans } for  pid=4082 comm="glusterd" path="/var/lib/glusterd/hooks/1/reset/post/S31ganesha-reset.sh" dev=dm-0 ino=522737 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1430220930.760:245): avc:  denied  { execute } for  pid=4082 comm="glusterd" name="S31ganesha-reset.sh" dev=dm-0 ino=522737 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
----
time->Tue Apr 28 11:35:30 2015
type=SYSCALL msg=audit(1430220930.779:246): arch=c000003e syscall=0 success=yes exit=155 a0=5 a1=3db06118c0 a2=3ff a3=0 items=0 ppid=4082 pid=4084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1430220930.779:246): avc:  denied  { sys_ptrace } for  pid=4084 comm="ps" capability=19  scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:glusterd_t:s0 tclass=capability
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.ZrfFAZ | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.z5f4z9 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-260.el6.noarch

</snip>

Comment 5 Prasanth 2015-06-19 06:54:58 UTC

*** Bug 1217198 has been marked as a duplicate of this bug. ***

Comment 8 surabhi 2015-07-04 06:05:09 UTC

With SELinux policy selinux-policy-3.7.19-279.el6.noarch, there are no AVC's seen
related to SMB/CTDB hook scripts on RHEL6.7.
Marking the BZ to verified.

Comment 9 errata-xmlrpc 2015-07-29 04:42:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1495.html

Note You need to log in before you can comment on or make changes to this bug.