Bug 1223311
| Summary: | Possible file descriptor leak from pmdanamed.pl to rndc | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Miloš Prchlík <mprchlik> |
| Component: | pcp | Assignee: | Nathan Scott <nathans> |
| Status: | CLOSED ERRATA | QA Contact: | Miloš Prchlík <mprchlik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.7 | CC: | brolley, lberk, mbenitez, mcermak |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pcp-3.10.9-6.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-10 21:12:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| According to these /usr/sbin/rndc tries to open /var/lib/pcp/pmdas/named/domain.h.perl and /var/lib/pcp/pmdas/named/pmns.perl This is so strange - the way that these two files (pmns & domain.h .perl files) come into being is the pmdas/named/Install script creates them, via shell code in $PCP_SHARE_DIR/lib/pmdaproc.sh pmdaproc.sh uses special environment variables to trigger code in PMDA.run(), called by pmdanamed.pl to generate a namespace and domain.h file - in normal operation (i.e. any time pmdanamed.pl might be invoking rdnc) these files should *not* be getting created ... so, wow, I'm surprised this is happening! Will need some deeper investigation I think. In the meantime, for this kind of bug Miloš (i.e. where the "Steps to reproduce" ends with a PMDA ./Install) it would be very helpful to create an upstream pcp qa/NNN test. The qa/755 test for the Apache PMDA would be a good example to follow - if we begin producing these, then upstream community developers like kenj will start helping us to fix 'em more quickly, which would be an awesome outcome for RHEL. :) (In reply to Nathan Scott from comment #1) > | According to these /usr/sbin/rndc tries to open > /var/lib/pcp/pmdas/named/domain.h.perl and /var/lib/pcp/pmdas/named/pmns.perl Ah, as I read it again, this is not the correct interpretation of those two AVC denials, I'm sorry for that, it's definitely misleading. Selinux is complaining about rndc trying to *write* into those files, not about opening them. As I mentioned, files may have been opened by parent process, and leaked into rndc process somewhere later, not being properly closed before forking rndc. > > This is so strange - the way that these two files (pmns & domain.h .perl > files) come into being is the pmdas/named/Install script creates them, via > shell code in $PCP_SHARE_DIR/lib/pmdaproc.sh > > pmdaproc.sh uses special environment variables to trigger code in > PMDA.run(), called by pmdanamed.pl to generate a namespace and domain.h file > - in normal operation (i.e. any time pmdanamed.pl might be invoking rdnc) > these files should *not* be getting created ... so, wow, I'm surprised this > is happening! > > Will need some deeper investigation I think. For this, I can provide you with few boxes from beaker pool. This issue is quite easy to reproduce, I noticed in several different test runs I started during the last week. > In the meantime, for this kind > of bug Miloš (i.e. where the "Steps to reproduce" ends with a PMDA > ./Install) it would be very helpful to create an upstream pcp qa/NNN test. > The qa/755 test for the Apache PMDA would be a good example to follow - if > we begin producing these, then upstream community developers like kenj will > start helping us to fix 'em more quickly, which would be an awesome outcome > for RHEL. :) Sounds good! I'll contact you on irc/by mail before I start spamming pcp with qe patches :) Hi Miloš,
I think I understand what's happening here now. Not an urgent fix (the Install process still works even though these AVC denials a being generated), but could you try out the patch below when next opportunity available? (needs a system with rndc setup).
diff --git a/src/pmdas/named/pmdanamed.pl b/src/pmdas/named/pmdanamed.pl
index a0f03ba..a005d66 100644
--- a/src/pmdas/named/pmdanamed.pl
+++ b/src/pmdas/named/pmdanamed.pl
@@ -120,6 +120,16 @@ foreach $statsdir ( @paths ) {
last if ( -f $statsfile );
}
die "Cannot find a valid named statistics file\n" unless -f $statsfile;
+
+# Perform the namespace and domain evaluation earlier than usual.
+# This must be done to ensure we do not execute "rndc stats" with
+# our stdout set to either of these locations (SElinux AVC denial
+# results otherwise).
+if (defined($ENV{PCP_PERL_PMNS}) || defined($ENV{PCP_PERL_DOMAIN})) {
+ $pmda->run;
+ exit(0);
+}
+
named_update(); # push some values into the statistics file
$pmda->set_fetch_callback(\&named_fetch_callback);
Thanks for access Miloš, I've pushed a fix (and tests qa/1033,1034) upstream. At this stage I'm thinking this ones probably not critical enough to warrant a backport, but if we pick up other fixes for 6.8 we could add this one in too. cheers. Verified for build pcp-3.10.9-6.el6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0825.html |
Description of problem: This starts with two AVC denials I encountered during my named pmda testing: ---- time->Wed May 20 00:22:31 2015 type=SYSCALL msg=audit(1432052551.639:25096): arch=80000015 syscall=11 success=yes exit=0 a0=fffc9d483e6 a1=1003c7cce80 a2=1003c7c53a0 a3=6e items=0 ppid=9307 pid=9311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1432052551.639:25096): avc: denied { write } for pid=9311 comm="rndc" path="/var/lib/pcp/pmdas/named/domain.h.perl" dev=dm-0 ino=1186283 scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:pcp_var_lib_t:s0 tclass=file ---- time->Wed May 20 00:22:31 2015 type=SYSCALL msg=audit(1432052551.919:25097): arch=80000015 syscall=11 success=yes exit=0 a0=fffefa78556 a1=100048ece80 a2=100048e53a0 a3=6e items=0 ppid=9314 pid=9315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1432052551.919:25097): avc: denied { write } for pid=9315 comm="rndc" path="/var/lib/pcp/pmdas/named/pmns.perl" dev=dm-0 ino=1186284 scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:pcp_var_lib_t:s0 tclass=file According to these /usr/sbin/rndc tries to open /var/lib/pcp/pmdas/named/domain.h.perl and /var/lib/pcp/pmdas/named/pmns.perl, but as I understand workings of pmdanamed.pl there's no reason why rndc should operate work with these two files, it should not even know they exist... After a short dicussion with Miloš Malík, our selinux specialist, he suggested this may be caused by a file descriptor, leaking from parent (pmdanamed.pl) to a child (rndc stats), and this file descriptor - despite child does not try to access it - is still open and can cause such AVC denial. Therefore I'm opening this bug for pcp, instead of one for selinux-policy, because I belive this is *not* caused by incomplete or wrong selinux settings. Version-Release number of selected component (if applicable): pcp-3.10.3-3.el6 selinux-policy-3.7.19-260.el6_6.3 How reproducible: Steps to Reproduce: 1. install bind (or have /usr/sbin/rdnc available) 2. cd /var/lib/pcp/pmdas/named 3. ./Install Actual results: Expected results: Additional info: