1232692 – [SELinux] [RHGS] Update the labelling for all the executable hooks under /var/lib/glusterd/hooks/ on RHEL-7.1

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1232692 - [SELinux] [RHGS] Update the labelling for all the executable hooks under /var/lib/glusterd/hooks/ on RHEL-7.1

Summary: [SELinux] [RHGS] Update the labelling for all the executable hooks under /var...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	1215632
Blocks:	1212796 1238965
TreeView+	depends on / blocked

Reported:	2015-06-17 10:23 UTC by Prasanth
Modified:	2015-11-19 10:37 UTC (History)
CC List:	20 users (show)
Fixed In Version:	selinux-policy-3.13.1-29.el7
Doc Type:	Bug Fix
Doc Text:	Previously, SELinux was unintentionally preventing the Bash shell from executing various hook scripts in the /var/lib/glusterd/hooks/ directory. SELinux policy rules have been adjusted to allow for correct handling of various gluster-related services, such as smb, nmb, or ctdb. As a result, the affected hook scripts can now be executed properly.
Clone Of:	1215632
Clones:	1238965 (view as bug list)
Environment:
Last Closed:	2015-11-19 10:37:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Prasanth 2015-06-17 10:23:32 UTC

+++ This bug was initially created as a clone of Bug #1215632 +++

Description of problem:

SELinux is preventing /bin/bash from execute access on the file /usr/sbin/smbd.

See AVC messages from /var/log/audit/audit.log below:

######
type=AVC msg=audit(1429776701.631:1186): avc:  denied  { execute } for  pid=9815 comm="S30samba-stop.s" name="smbd" dev=dm-0 ino=152897 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=
system_u:object_r:smbd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1429776701.631:1186): arch=c000003e syscall=21 success=yes exit=0 a0=fe9ae0 a1=1 a2=0 a3=f items=0 ppid=9814 pid=9815 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 s
gid=0 fsgid=0 tty=(none) ses=2 comm="S30samba-stop.s" exe="/bin/bash" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1429776701.633:1187): avc:  denied  { execute_no_trans } for  pid=9815 comm="S30samba-stop.s" path="/usr/sbin/smbd" dev=dm-0 ino=152897 scontext=unconfined_u:system_r:glus
terd_t:s0 tcontext=system_u:object_r:smbd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1429776701.633:1187): arch=c000003e syscall=59 success=yes exit=0 a0=fe9ae0 a1=fe85f0 a2=fe8160 a3=18 items=0 ppid=9814 pid=9815 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid
=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1429776701.947:1188): avc:  denied  { create } for  pid=9837 comm="sed" name="sedwkoNGp" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:samba_etc_
t:s0 tclass=file
type=SYSCALL msg=audit(1429776701.947:1188): arch=c000003e syscall=2 success=yes exit=4 a0=1714730 a1=c2 a2=180 a3=0 items=0 ppid=9812 pid=9837 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=
0 sgid=0 fsgid=0 tty=(none) ses=2 comm="sed" exe="/bin/sed" subj=unconfined_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1429776701.954:1189): avc:  denied  { signal } for  pid=9812 comm="S30samba-stop.s" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:system_r:smbd_t:s0 tclass=process
######

#####
Apr 23 13:41:43 dhcp42-72 setroubleshoot: SELinux is preventing /bin/bash from execute access on the file /usr/sbin/smbd. For complete SELinux messages. run sealert -l 38fa77cc-b191-46a7-834e-f944ffa62fb8
Apr 23 13:41:43 dhcp42-72 setroubleshoot: SELinux is preventing /usr/sbin/smbd from execute_no_trans access on the file /usr/sbin/smbd. For complete SELinux messages. run sealert -l d25244eb-84eb-45c8-ad61-081e42a1dcda
#####


Version-Release number of selected component (if applicable):
#####
glusterfs-fuse-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-cli-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-server-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-libs-3.7dev-0.1009.git8b987be.el6.x86_64
glusterfs-api-3.7dev-0.1009.git8b987be.el6.x86_64
samba-vfs-glusterfs-4.1.17-4.el6rhs.x86_64
#####

How reproducible: Always


Steps to Reproduce:
1. Install the RHEL6 glusterfs 3.7 nightly builds from http://download.gluster.org/pub/gluster/glusterfs/nightly/glusterfs-3.7/epel-6-x86_64/
2. Create a volume and start it
3. Check for the AVC's in /var/log/audit/audit.log
.

Actual results: Above mentioned AVC is seen in the logs.


Expected results: If you believe that bash should be allowed execute access on the smbd file by default, please consider fixing it.

--- Additional comment from Miroslav Grepl on 2015-05-19 08:28:02 EDT ---

Could you tell us more about

type=AVC msg=audit(1429776701.947:1188): avc:  denied  { create } for  pid=9837 comm="sed" name="sedwkoNGp" scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:samba_etc_
t:s0 tclass=file

--- Additional comment from Prasanth on 2015-06-16 08:53:38 EDT ---

(In reply to Miroslav Grepl from comment #1)
> Could you tell us more about
> 
> type=AVC msg=audit(1429776701.947:1188): avc:  denied  { create } for 
> pid=9837 comm="sed" name="sedwkoNGp"
> scontext=unconfined_u:system_r:glusterd_t:s0
> tcontext=system_u:object_r:samba_etc_
> t:s0 tclass=file

I'm not seeing the above AVC anymore in the latest selinux-policy build, but could see the following:

####
[root@dhcp43-33 audit]# rpm -qa |grep selinux
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
libselinux-python-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-276.el6.noarch
selinux-policy-targeted-3.7.19-276.el6.noarch


[root@dhcp43-33 audit]# grep "AVC" audit.log
type=AVC msg=audit(1434458009.234:5445): avc:  denied  { execute } for  pid=19031 comm="glusterd" name="S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1434458016.776:5446): avc:  denied  { getattr } for  pid=19092 comm="S29CTDBsetup.sh" path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
type=AVC msg=audit(1434458016.793:5447): avc:  denied  { getattr } for  pid=19100 comm="S30samba-start." path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
####

-----
[root@dhcp43-33 audit]# cat audit.log |audit2allow

#============= glusterd_t ==============
allow glusterd_t auditd_log_t:dir getattr;
allow glusterd_t glusterd_var_lib_t:file execute;
-----

Do you know if this is also part of the fixes that are going to land in the next build or is it something new?

--- Additional comment from Miroslav Grepl on 2015-06-17 03:35:16 EDT ---

type=AVC msg=audit(1434458009.234:5445): avc:  denied  { execute } for  pid=19031 comm="glusterd" name="S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file


This is a new issue. So we have another executables in /var/lib/gluster. What are you getting in permissive mode?

--- Additional comment from Prasanth on 2015-06-17 04:02:21 EDT ---

In Permissive mode, I'm seeing the following after create/start/delete of a gluster volume:

#########
[root@dhcp43-33 audit]# getenforce 
Permissive

type=AVC msg=audit(1434526391.609:6307): avc:  denied  { getattr } for  pid=23170 comm="S29CTDBsetup.sh" path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
type=AVC msg=audit(1434526436.236:6308): avc:  denied  { getattr } for  pid=23250 comm="S29CTDB-teardow" path="/var/log/audit" dev=vda3 ino=396601 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
type=AVC msg=audit(1434526442.032:6309): avc:  denied  { execute } for  pid=23298 comm="glusterd" name="S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1434526442.032:6309): avc:  denied  { execute_no_trans } for  pid=23298 comm="glusterd" path="/var/lib/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py" dev=vda3 ino=398089 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=file
#########


Yes, we have some new another executables in /var/lib/glusterd/hooks. See below:

#############
[root@dhcp43-33 1]# pwd
/var/lib/glusterd/hooks/1	

[root@dhcp43-33 1]# ls  -alZ ./*/*
./add-brick/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       disabled-quota-root-xattr-heal.sh

./add-brick/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       S28Quota-enable-root-xattr-heal.sh

./copy-file/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./copy-file/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./create/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./create/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./delete/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.py
-rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyc
-rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyo

./delete/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./gsync-create/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./gsync-create/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./remove-brick/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./remove-brick/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./reset/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       S31ganesha-reset.sh

./reset/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./set/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       S30samba-set.sh
-rwxr--r--. root root system_u:object_r:bin_t:s0       S31ganesha-set.sh
-rwxr--r--. root root system_u:object_r:bin_t:s0       S32gluster_enable_shared_storage.sh

./set/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./start/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       S29CTDBsetup.sh
-rwxr--r--. root root system_u:object_r:bin_t:s0       S30samba-start.sh

./start/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./stop/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..

./stop/pre:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr--r--. root root system_u:object_r:bin_t:s0       S29CTDB-teardown.sh
-rwxr--r--. root root system_u:object_r:bin_t:s0       S30samba-stop.sh
#############

Is it possible to fix everything under this directory "/var/lib/glusterd/hooks" for any existing and new executables so that we don't come across these AVC's again in future?

--- Additional comment from Miroslav Grepl on 2015-06-17 04:11:18 EDT ---

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 835302a..0550ea4 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -396,6 +396,7 @@ ifdef(`distro_suse', `
 /var/qmail/rc                  --      gen_context(system_u:object_r:bin_t,s0)
 
 /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)

--- Additional comment from Miroslav Grepl on 2015-06-17 04:12:47 EDT ---

It could be enough. The point is there can be located a file which is writable and some more general labeling like

/var/lib/glusterd/hooks(/.*)? -- gen_context(system_u:object_r:bin_t,s0)

could be wrong. But if you tell us there will be located only executables shipped by cluster I will add this general labeling.

--- Additional comment from Prasanth on 2015-06-17 04:28:44 EDT ---

(In reply to Miroslav Grepl from comment #6)
> It could be enough. The point is there can be located a file which is
> writable and some more general labeling like
> 
> /var/lib/glusterd/hooks(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
> 
> could be wrong. But if you tell us there will be located only executables
> shipped by cluster I will add this general labeling.

AFAIK, by default, this directory contains only the executables that are shipped by the gluster packages. But I believe it's designed in such a way that any admin can add executables later to this location as well, based on their requirement. But I would like to get it confirmed here by the concerned devel member so that you can add the appropriate labelling. 

Avra, could you please check Comment 6 and provide your comments?

--- Additional comment from Avra Sengupta on 2015-06-17 04:39:51 EDT ---

/var/lib/glusterd/hooks contains hook scripts, which are scripts shipped along with gluster. These scripts can be modified by the admin, and the admin can add new scripts in this location as well.

I hope this information is enough to add the appropriate labelling. Please let me know if any other info is needed.

--- Additional comment from Miroslav Grepl on 2015-06-17 05:02:22 EDT ---

The point is  if

/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)

or we want to add 

/var/lib/glusterd/hooks(/.*)? gen_context(system_u:object_r:bin_t,s0)

to be sure we cover all executables here.

--- Additional comment from Avra Sengupta on 2015-06-17 05:32:06 EDT ---

Currently we have only bash scripts in /var/lib/glusterd/hooks/. So right now we should stick to only 

/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)

and not give the farm away by allowing everything.

--- Additional comment from Prasanth on 2015-06-17 05:40:29 EDT ---

(In reply to Avra Sengupta from comment #10)
> Currently we have only bash scripts in /var/lib/glusterd/hooks/. So right
> now we should stick to only 
> 
> /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
> 
> and not give the farm away by allowing everything.

Avra, I don't think this is true anymore as I do see a python script included in the hooks directory. See below:

########
[root@dhcp43-33 1]# pwd
/var/lib/glusterd/hooks/1	

./delete/post:
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.py
-rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyc
-rw-r--r--. root root system_u:object_r:glusterd_var_lib_t:s0 S57glusterfind-delete-post.pyo
########

Could you please check and confirm?

--- Additional comment from Avra Sengupta on 2015-06-17 05:42:15 EDT ---

Sorry my bad. We can have the following in that case

/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)

Comment 2 Miroslav Grepl 2015-07-01 08:11:36 UTC

Already fixed.

Comment 8 errata-xmlrpc 2015-11-19 10:37:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.

annair
asengupt
asrivast
dwalsh
jherrman
jkurik
lvrabec
mgrepl
mmalik
nlevinki
nsathyan
plautrba
pprakash
pvrabec
rcyriac
rhs-bugs
sbhaloth
sgraf
ssekidde
vagarwal