Bug 1219317 - Update SELinux policies for Samba and CTDB in RHEL 6.6
Summary: Update SELinux policies for Samba and CTDB in RHEL 6.6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1208420
TreeView+ depends on / blocked
 
Reported: 2015-05-07 02:29 UTC by Jose A. Rivera
Modified: 2015-07-22 07:14 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.7.19-268.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-22 07:14:03 UTC


Attachments (Terms of Use)
Samba/CTDB SELinux policies (93.59 KB, application/x-gzip)
2015-05-07 02:29 UTC, Jose A. Rivera
no flags Details
AVCs from first machine (229.94 KB, text/plain)
2015-05-13 13:16 UTC, Milos Malik
no flags Details
AVCs from second machine (172.78 KB, text/plain)
2015-05-13 13:17 UTC, Milos Malik
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1375 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-07-20 18:07:47 UTC

Description Jose A. Rivera 2015-05-07 02:29:08 UTC
Created attachment 1022875 [details]
Samba/CTDB SELinux policies

RHS is a layered product on top of RHEL that provides more advanced versions of Samba and CTDB (4.1.14 and 2.5.4, respectively, in the latest release). The SELinux policies should be extended to cover the needs of these versions (in addition to the current RHEL6.6 versions).

I've put together a preliminary set of policies that I believe begin to accomplish this. I took the samba and ctdb policies from RHEL7.1, commented out/renamed things that don't exist in RHEL6.6, and applied it. Samba/CTDB services ran without noticeable problems though there were still several AVCs. I asked Milos (mmalik) for a hand in reviewing these policies, and he suggested a number of additions to the policies and configurations. I'm not sure how to include all those in RPM packaging.

I'll be including his message as a reply to this BZ.

Please find the proposed policies attached as *.te and *.pp files in a tgz. They are named as follows:

samba    - Backport of RHEL7 policy
ctdbd    - Backport of RHEL7 policy (named ctdb in RHEL7)
mypol    - stray AVC I noticed, possibly RHEL7 bug?
mypolicy - Changes/additions suggested by mmalik

Comment 1 Jose A. Rivera 2015-05-07 02:31:30 UTC
From Milos:

I don't know what is the purpose of files in /etc/ctdb/events.d/ directory, but I believe they should be labeled bin_t, because they are shell scripts and they are executed by ctdb_event_helper. Now they are labeled etc_t which implies that they contain some kind of configuration, which is not true. If they were labeled bin_t, there would be less AVCs.

Permanent labeling for files in /etc/ctdb/events.d/ can be enabled via following commands:
# semanage fcontext -a -f '' -t bin_t '/etc/ctdb/events.d/.*'
# restorecon -Rv /etc/ctdb

Permanent labeling for files in /etc/ctdb/events.d/ can be disabled via following commands:
# semanage fcontext -d -f '' -t bin_t '/etc/ctdb/events.d/.*'
# restorecon -Rv /etc/ctdb

You can list the local file context customizations via following command:
# semanage fcontext -l -C
SELinux fcontext                                   type               Context

/etc/ctdb/events.d/.*                              all files          system_u:object_r:bin_t:s0
/var/log/core(/.*)?                                all files          system_u:object_r:virt_cache_t:s0
#

There is a special policy module loaded on both machines. This policy module contains additional policy rules, which were missing in default policy and which caused the AVCs. You can find it via following command:

# semodule -l | grep mypolicy
mypolicy        1.0        
#

In /root directory you can find mypolicy.te (source code of the policy module) file and mypolicy.pp (compiled code of the policy module).

If you want to remove the policy module then run: semodule -r mypolicy
If you want to insert the policy module again then run: semodule -i mypolicy.pp

Based on AVCs which remained, it seems that the smb service wants to load the ipv6 kernel module. Therefore I recommend to enable the domain_kernel_load_modules boolean. You can permanently enable it via:
# setsebool -P domain_kernel_load_modules on

or disable it via:

# setsebool -P domain_kernel_load_modules off

Comment 3 Miroslav Grepl 2015-05-13 13:06:18 UTC
Can we get AVCs needed for mypol.te?

Comment 4 Milos Malik 2015-05-13 13:16:29 UTC
Created attachment 1025052 [details]
AVCs from first machine

Comment 5 Milos Malik 2015-05-13 13:17:18 UTC
Created attachment 1025053 [details]
AVCs from second machine

Comment 7 surabhi 2015-05-18 12:27:08 UTC
Tried on RHEL6.7 with following versions of:

glusterfs: 
glusterfs-3.7.0beta2-0.2.gitc1cd4fa.el6.x86_64
Samba:
samba-4.1.17-5.el6.x86_64
Selinux:selinux-policy-3.7.19-267.el6.noarch

Service smb starts without logging any AVC.

After starting smb service if try to mount the gluster volume on cifs getting following AVC's:


type=AVC msg=audit(1431930264.825:77): avc:  denied  { write } for  pid=6245 comm="glusterd" name="glusterd.socket" dev=dm-0 ino=784323 scontext=uncon
fined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1431930264.826:78): avc:  denied  { unlink } for  pid=6245 comm="glusterd" name="glusterd.socket" dev=dm-0 ino=784323 scontext=unco
nfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1431930277.984:79): avc:  denied  { execute } for  pid=6334 comm="glusterd" name="S29CTDBsetup.sh" dev=dm-0 ino=784303 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file

type=AVC msg=audit(1431930277.984:79): avc:  denied  { execute_no_trans } for  pid=6334 comm="glusterd" path="/var/lib/glusterd/hooks/1/start/post/S29CTDBsetup.sh" dev=dm-0 ino=784303 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file

type=AVC msg=audit(1431930277.989:80): avc:  denied  { execute } for  pid=6335 comm="S29CTDBsetup.sh" name="hostname" dev=dm-0 ino=130329 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file

type=AVC msg=audit(1431930277.989:81): avc:  denied  { execute_no_trans } for  pid=6335 comm="S29CTDBsetup.sh" path="/bin/hostname" dev=dm-0 ino=130329 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file

type=AVC msg=audit(1431930278.019:82): avc:  denied  { execute } for  pid=6353 comm="S30samba-start." name="smbd" dev=dm-0 ino=925890 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file

type=AVC msg=audit(1431930278.019:83): avc:  denied  { execute_no_trans } for  pid=6353 comm="S30samba-start." path="/usr/sbin/smbd" dev=dm-0 ino=925890 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file

type=AVC msg=audit(1431930278.187:84): avc:  denied  { signal } for  pid=6338 comm="S30samba-start." scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:smbd_t:s0 tclass=process

type=AVC msg=audit(1431930685.513:97): avc:  denied  { search } for  pid=6458 comm="smbd" name="glusterfs" dev=dm-0 ino=269456 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir

type=AVC msg=audit(1431930685.514:98): avc:  denied  { search } for  pid=6458 comm="smbd" name="glusterfs" dev=dm-0 ino=269456 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir


type=AVC msg=audit(1431930685.532:99): avc:  denied  { search } for  pid=6458 comm="smbd" scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

type=AVC msg=audit(1431930685.533:100): avc:  denied  { name_bind } for  pid=6458 comm="smbd" src=1023 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket


type=AVC msg=audit(1431930685.534:101): avc:  denied  { name_connect } for  pid=6458 comm="smbd" dest=24007 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:gluster_port_t:s0 tclass=tcp_socket


Have created another BZ https://bugzilla.redhat.com/show_bug.cgi?id=1221929 for mount issue.Will provide the logs in the bz.

Comment 8 Miroslav Grepl 2015-05-19 10:52:38 UTC
commit a30bb467a268e913e44c43a20d486a9e6ebba126
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue May 19 12:50:03 2015 +0200

    Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.

commit 1636395b6882038083bd85f0799ee5d6bc7bf371
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue May 19 12:35:05 2015 +0200

    Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.

commit 8f46f8bab5be1ea8df4055e7728a715e14fab257
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue May 19 12:51:54 2015 +0200

    ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.

Comment 9 Miroslav Grepl 2015-05-19 13:25:54 UTC
Could you please test it with

https://brewweb.devel.redhat.com/taskinfo?taskID=9198180

Comment 12 surabhi 2015-05-28 11:18:10 UTC
With the latest build provided today by Miroslav :
https://brewweb.devel.redhat.com/buildinfo?buildID=437561

None of the AVC's are seen for gluster-samba.
Verified with both enforcing mode and permissive mode.

This is been verified on RHEL6.7. Need a backport for RHEL6.6 and fix is required for RHEL7.1 as well.

Updated BZ https://bugzilla.redhat.com/show_bug.cgi?id=1221929

Comment 14 Jose A. Rivera 2015-06-15 14:32:49 UTC
Clearing the needinfo flag. ;)

Comment 15 errata-xmlrpc 2015-07-22 07:14:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html


Note You need to log in before you can comment on or make changes to this bug.