1232217 – [Selinux] AVC logs messages seen in RHEL 6.7 set-up while enabling\disabling cluster.enable-shared-storage

Bug 1232217 - [Selinux] AVC logs messages seen in RHEL 6.7 set-up while enabling\disabling cluster.enable-shared-storage

Summary: [Selinux] AVC logs messages seen in RHEL 6.7 set-up while enabling\disabling ...

Keywords:
Status:	CLOSED DUPLICATE of bug 1215637
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	glusterfind
Sub Component:
Version:	rhgs-3.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Bug Updates Notification Mailing List
QA Contact:	Sweta Anandpara
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-16 10:06 UTC by Anil Shah
Modified:	2016-09-17 15:20 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-06-19 06:50:55 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Anil Shah 2015-06-16 10:06:30 UTC

Description of problem:

While disabling cluster.enable-shared-storage, saw logs messages 
========================================================
un 16 14:41:40 darkknightrises setroubleshoot: SELinux is preventing /usr/bin/python from execute access on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py. For complete SELinux messages. run sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4



Version-Release number of selected component (if applicable):

[root@darkknightrises ~]# rpm -qa  | grep glusterfs
glusterfs-3.7.1-3.el6rhs.x86_64
glusterfs-cli-3.7.1-3.el6rhs.x86_64
glusterfs-libs-3.7.1-3.el6rhs.x86_64
glusterfs-client-xlators-3.7.1-3.el6rhs.x86_64
glusterfs-fuse-3.7.1-3.el6rhs.x86_64
glusterfs-server-3.7.1-3.el6rhs.x86_64
glusterfs-debuginfo-3.7.1-3.el6rhs.x86_64
samba-vfs-glusterfs-4.1.17-4.el6rhs.x86_64
glusterfs-api-3.7.1-3.el6rhs.x86_64
glusterfs-geo-replication-3.7.1-3.el6rhs.x86_64



Selinux Version:
===============================
[root@darkknightrises ~]# rpm -qa |grep selinux
selinux-policy-targeted-3.7.19-276.el6.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-276.el6.noarch
libselinux-python-2.0.94-5.8.el6.x86_64


How reproducible:


Steps to Reproduce:
1. Create 2*2 distribute-replicate volume
2. gluster vol set all audit.logcluster.enable-shared-storage enable
3. gluster vol set all audit.logcluster.enable-shared-storage disable

Actual results:

ss on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py. For complete SELinux messages. run sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4
Jun 16 14:41:40 darkknightrises setroubleshoot: SELinux is preventing /usr/bin/python from execute access on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py. For complete SELinux messages. run sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4
===================================================

[root@darkknightrises ~]# sealert -l 013c2865-34ab-4e95-a530-cb114d895ce4
SELinux is preventing /usr/bin/python from execute access on the file /var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore python trying to execute access the S57glusterfind-delete-post.py file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/python /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that python should be allowed execute access on the S57glusterfind-delete-post.py file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep S57glusterfind- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:glusterd_t:s0
Target Context                system_u:object_r:glusterd_var_lib_t:s0
Target Objects                /var/lib/glusterd/hooks/1/delete/post
                              /S57glusterfind-delete-post.py [ file ]
Source                        S57glusterfind-
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          darkknightrises
Source RPM Packages           python-2.6.6-64.el6.x86_64
Target RPM Packages           glusterfs-server-3.7.1-3.el6rhs.x86_64
Policy RPM                    selinux-policy-3.7.19-276.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     darkknightrises
Platform                      Linux darkknightrises 2.6.32-565.el6.x86_64 #1 SMP
                              Tue Jun 2 14:53:05 EDT 2015 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 16 Jun 2015 02:41:35 PM IST
Last Seen                     Tue 16 Jun 2015 02:41:35 PM IST
Local ID                      013c2865-34ab-4e95-a530-cb114d895ce4

Raw Audit Messages
type=AVC msg=audit(1434445895.917:8072): avc:  denied  { execute } for  pid=16463 comm="glusterd" name="S57glusterfind-delete-post.py" dev=dm-0 ino=1573216 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file


type=AVC msg=audit(1434445895.917:8072): avc:  denied  { execute_no_trans } for  pid=16463 comm="glusterd" path="/var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py" dev=dm-0 ino=1573216 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1434445895.917:8072): arch=x86_64 syscall=execve success=yes exit=0 a0=7fb628008d90 a1=7fb628008b40 a2=7fb645e9b060 a3=8 items=0 ppid=13437 pid=16463 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm=S57glusterfind- exe=/usr/bin/python subj=unconfined_u:system_r:glusterd_t:s0 key=(null)

Hash: S57glusterfind-,glusterd_t,glusterd_var_lib_t,file,execute

audit2allow

#============= glusterd_t ==============
allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans };

audit2allow -R

#============= glusterd_t ==============
allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans };
======================================================

Audit logs:
======================================

type=SYSCALL msg=audit(1434437797.854:7177): arch=c000003e syscall=42 success=no exit=-115 a0=27 a1=7fd9a89ff0a8 a2=10 a3=0 items=0 ppid=14611 pid=15129 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1434437798.038:7178): avc:  denied  { name_bind } for  pid=15140 comm="smbd" src=990 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1434437798.038:7178): arch=c000003e syscall=49 success=no exit=-98 a0=38 a1=7fd9b10ec150 a2=10 a3=4a items=0 ppid=14611 pid=15140 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1434437798.044:7179): avc:  denied  { name_bind } for  pid=15141 comm="smbd" src=995 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1434437798.044:7179): arch=c000003e syscall=49 success=no exit=-98 a0=39 a1=7fd9b115c640 a2=10 a3=4a items=0 ppid=14611 pid=15141 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1029 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)


=====================================
type=AVC msg=audit(1434448984.506:7950): avc:  denied  { execute } for  pid=12278 comm="glusterd" name="S57glusterfind-delete-post.py" dev=dm-2 ino=17433095 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file

Expected results:


Additional info:

Comment 2 Milos Malik 2015-06-16 12:12:29 UTC

It seems that everything under /var/lib/glusterd/hooks can be executed, not only *.sh files.

Comment 3 Prasanth 2015-06-19 06:50:55 UTC

We are tracking all the AVC's related to hook scripts in the following RHGS BZ:

Bug 1215637 - [SELinux] [RHGS-3.1] AVC's of all the executable hooks under /var/lib/glusterd/hooks/ on RHEL-6.7

Hence marking this BZ as a duplicate.

*** This bug has been marked as a duplicate of bug 1215637 ***

Note You need to log in before you can comment on or make changes to this bug.