RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1234847 - [SELinux] crond complains Unauthorized SELinux context=... when reading files labeled cifs_t, nfs_t, fusefs_t - RHEL-7.2
Summary: [SELinux] crond complains Unauthorized SELinux context=... when reading files...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: All
OS: Linux
high
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1212796 1231647 1238978 1239269 1239270
TreeView+ depends on / blocked
 
Reported: 2015-06-23 11:32 UTC by Milos Malik
Modified: 2015-11-19 10:37 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.13.1-30.el7
Doc Type: Bug Fix
Doc Text:
Prior to this update, the crond service was not able to read files placed on the NFS, CIFS, and FUSE file systems. This update introduces the cron_system_cronjob_use_shares Boolean, which enables crond to use these file systems. As a result, the described problem no longer occurs.
Clone Of:
: 1238978 (view as bug list)
Environment:
Last Closed: 2015-11-19 10:37:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Audit log for comment 13 (247.23 KB, text/plain)
2015-07-13 12:28 UTC, senaik 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2300 0 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Milos Malik 2015-06-23 11:32:54 UTC 
Description of problem:
 * not sure if the problem is in selinux-policy or in crond
 * but there are no AVCs, USER_AVCs or SELINUX_ERRs logged

Version-Release number of selected component (if applicable):
cronie-1.4.11-13.el7.x86_64
cronie-anacron-1.4.11-13.el7.x86_64
crontabs-1.11-6.20121102git.el7.noarch
selinux-policy-3.13.1-29.el7.noarch
selinux-policy-devel-3.13.1-29.el7.noarch
selinux-policy-doc-3.13.1-29.el7.noarch
selinux-policy-minimum-3.13.1-29.el7.noarch
selinux-policy-mls-3.13.1-29.el7.noarch
selinux-policy-sandbox-3.13.1-29.el7.noarch
selinux-policy-targeted-3.13.1-29.el7.noarch

How reproducible:
always

Steps to Reproduce:
# chcon -t fusefs_t /etc/cron.d/sysstat
# service crond restart
Redirecting to /bin/systemctl restart  crond.service
# grep context /var/log/cron
Jun 23 13:29:48 rhel71 crond[7235]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:fusefs_t:s0 (/etc/cron.d/sysstat)
#

Actual results:
 * crond is unable to read a file placed on NFS, CIFS or FUSE filesystem

Expected results:
 * crond is able to read a file placed on NFS, CIFS or FUSE filesystem

Additional info (seen in /var/log/cron on different machines):
Jun 22 18:04:04 rhsqe-vm05 crond[32188]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:fusefs_t:s0 (/etc/cron.d/glusterfs_snap_cron_tasks.orig)

Jun 23 12:21:57 rhel71 crond[2176]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:nfs_t:s0 (/etc/cron.d/sysstat)

Jun 23 13:23:16 rhel71 crond[5101]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:cifs_t:s0 (/etc/cron.d/sysstat)
Comment 1 Miroslav Grepl 2015-06-23 12:10:22 UTC 
Ok this is a problem. What scenario are you testing here?

crond has a SELinux functionality to check if a job can run within a correct cronjob SELinux type. It is done using entrypoint permission. But we have fuse_t instead of system_cron_spool_t here.

allow system_cronjob_t system_cron_spool_t : file entrypoint;

If you add this rule for fuse_t it should work.
Comment 2 Milos Malik 2015-06-23 13:03:01 UTC 
# sesearch -s system_cronjob_t -t system_cron_spool_t -c file -p entrypoint -A -C
Found 1 semantic av rules:
   allow system_cronjob_t system_cron_spool_t : file { ioctl read write create getattr setattr lock append unlink link rename entrypoint open } ; 
#

You meant to add following rule, which is not present in current policy:

allow system_cronjob_t fusefs_t:file entrypoint;
Comment 4 Miroslav Grepl 2015-06-25 12:13:04 UTC 
This is not something what we want to allow by default. This is a custom setup and I am thinking either about a boolean or about a local policy shipped by Gluster.
Comment 5 Prasanth 2015-06-29 10:30:55 UTC 
(In reply to Miroslav Grepl from comment #4)
> This is not something what we want to allow by default. This is a custom
> setup and I am thinking either about a boolean or about a local policy
> shipped by Gluster.

Hi Miroslav,

If you have the above mentioned boolean or a local policy ready for testing, could you please share it in Bug 1231647 so that QE can test and confirm back?
Comment 6 Miroslav Grepl 2015-06-29 10:35:49 UTC 
Could you test it with the following local policy module

# cat mygluster.te
policy_module(mygluster, 1.0)

require{
 type gluster_t;
 type nfs_t;
 type cifs_t;
 type fusefs_t;
}

allow gluster_t nfs_t:file entrypoint;
allow gluster_t cifs_t:file entrypoint;
allow gluster_t fusefs_t:file entrypoint;

# make -f /usr/share/selinux/devel/Makefile mygluster.pp
# semodule -i mygluster.pp
Comment 7 Miroslav Grepl 2015-06-29 10:39:07 UTC 
Oops, I apologize. There it should be

# cat mygluster.te
policy_module(mygluster, 1.0)

require{
 type system_cronjob_t;
 type nfs_t;
 type cifs_t;
 type fusefs_t;
}

allow system_cronjob_t nfs_t:file entrypoint;
allow system_cronjob_t cifs_t:file entrypoint;
allow system_cronjob_t fusefs_t:file entrypoint;
Comment 8 senaik 2015-07-01 11:49:16 UTC 
Followed steps as mentioned in Comment 7 and scheduler was able to create snapshots.

 snap_scheduler.py list
JOB_NAME         SCHEDULE         OPERATION        VOLUME NAME      
--------------------------------------------------------------------
A1               */5 * * * *      Snapshot Create  vol0             


[root@rhsqe-vm06 ~]# tail -f /var/log/glusterfs/gcron.log 
[2015-07-01 12:45:19,802 gcron.py:100 doJob] INFO Job Scheduled-A1-vol0 succeeded
[2015-07-01 12:50:01,968 gcron.py:178 main] DEBUG locking_file = /var/run/gluster/shared_storage/snaps/lock_files/A1
[2015-07-01 12:50:01,969 gcron.py:179 main] DEBUG volname = vol0
[2015-07-01 12:50:01,969 gcron.py:180 main] DEBUG jobname = A1
[2015-07-01 12:50:01,981 gcron.py:96 doJob] DEBUG /var/run/gluster/shared_storage/snaps/lock_files/A1 last modified at Wed Jul  1 12:45:19 2015
[2015-07-01 12:50:01,981 gcron.py:98 doJob] DEBUG Processing job Scheduled-A1-vol0
[2015-07-01 12:50:01,982 gcron.py:68 takeSnap] DEBUG Running command 'gluster snapshot create Scheduled-A1-vol0 vol0'
[2015-07-01 12:50:20,747 gcron.py:75 takeSnap] DEBUG Command 'gluster snapshot create Scheduled-A1-vol0 vol0' returned '0'
[2015-07-01 12:50:20,747 gcron.py:83 takeSnap] INFO Snapshot of vol0 successful
[2015-07-01 12:50:20,747 gcron.py:100 doJob] INFO Job Scheduled-A1-vol0 succeeded


gluster snapshot list |wc -l 
254


getenforce
Enforcing

rpm -qa |grep selinux
libselinux-debuginfo-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-29.el7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-devel-3.13.1-29.el7.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-29.el7.noarch

I tried this on a 2 node cluster and found that only one node was picking uo the job , need to look into this further
Comment 11 senaik 2015-07-03 12:40:01 UTC 
Tried the latest policy update. With that the file /etc/cron.d/glusterfs_snap_cron_tasks is being picked up by crond. However because /etc/cron.d/gcron_update_task is created by renaming it from a tmp file created in /tmp/crontab it has a different file context which prevents it from being picked up by crond.

In order to resolve this, we need to create /etc/cron.d/gcron_update_task by renaming it from a tmp file created in /var/run/gluster/shared_storage/snaps/tmp_file.


But even with the above change I don't see crond reloading /etc/cron.d/glusterfs_snap_cron_tasks whenever the modified time of the file changes. Am not sure is this is a crond bug for rhel 7.1 or not, but it seems not to reload a file even though the file's last modified time is changed.
Comment 13 senaik 2015-07-13 12:18:57 UTC 
Installed the latest Selinux policy build, Scheduler still fails to create snapshots with SELinux in 'Enforcing' mode 

Jul 13 17:21:02 rhsqe-vm05 crond[9994]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=system_u:object_r:fusefs_t:s0 (/etc/cron.d/glusterfs_snap_cron_tasks)
Jul 13 17:21:02 rhsqe-vm05 crond[9994]: (root) FAILED (loading cron table)
Jul 13 17:21:02 rhsqe-vm05 CROND[10504]: (root) CMD (PATH=$PATH:/usr/local/sbin:/usr/sbin gcron.py --update)
Jul 13 17:22:01 rhsqe-vm05 CROND[10509]: (root) CMD (PATH=$PATH:/usr/local/sbin:/usr/sbin gcron.py --update)
Jul 13 17:23:01 rhsqe-vm05 CROND[10514]: (root) CMD (PATH=$PATH:/usr/local/sbin:/usr/sbin gcron.py --update)

rpm -qa |grep selinux
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-devel-3.13.1-31.el7.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-31.el7.noarch
selinux-policy-targeted-3.13.1-31.el7.noarch

Set SELinux to 'Permissive' and Scheduler creates snapshots successfully. 

Moving the bug back to 'Assigned'
Comment 14 senaik 2015-07-13 12:28:46 UTC 
Created attachment 1051390 [details]
Audit log for comment 13
Comment 15 Milos Malik 2015-07-13 13:11:33 UTC 
Does it work when you enable the cron_system_cronjob_use_shares boolean?
Comment 18 senaik 2015-07-15 09:21:07 UTC 
I have enabled the boolean as mentioned and Scheduler is able to create snapshots 

getsebool -a |grep cron_system_cronjob_use_shares
cron_system_cronjob_use_shares --> on

rpm -qa |grep selinux
libselinux-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-32.el7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-32.el7.noarch

snap_scheduler.py list
JOB_NAME         SCHEDULE         OPERATION        VOLUME NAME      
--------------------------------------------------------------------
RHEL7_JOB1       */5 * * * *      Snapshot Create  volume0     

gluster snapshot list 
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-07.45.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-07.50.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-07.55.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-08.00.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-08.05.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-08.10.01
Scheduled-RHEL7_JOB1-volume0_GMT-2015.07.15-08.15.01


[2015-07-15 14:50:01,627 gcron.py:96 doJob] DEBUG /var/run/gluster/shared_storage/snaps/lock_files/RHEL7_JOB1 last modified at Wed Jul 15 14:45:05 2015
[2015-07-15 14:50:01,628 gcron.py:98 doJob] DEBUG Processing job Scheduled-RHEL7_JOB1-volume0
[2015-07-15 14:50:01,628 gcron.py:68 takeSnap] DEBUG Running command 'gluster snapshot create Scheduled-RHEL7_JOB1-volume0 volume0'
[2015-07-15 14:50:05,869 gcron.py:75 takeSnap] DEBUG Command 'gluster snapshot create Scheduled-RHEL7_JOB1-volume0 volume0' returned '0'
[2015-07-15 14:50:05,870 gcron.py:83 takeSnap] INFO Snapshot of volume0 successful
[2015-07-15 14:50:05,871 gcron.py:100 doJob] INFO Job Scheduled-RHEL7_JOB1-volume0 succeeded
Comment 19 senaik 2015-07-15 09:22:12 UTC 
cleared need info while adding comment18, adding it back
Comment 23 errata-xmlrpc 2015-11-19 10:37:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html
Note You need to log in before you can comment on or make changes to this bug.