Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1235636

Summary: [SELinux] SMB: SELinux policy to be set for /usr/sbin/ctdbd_wrapper - RHEL-6.7
Product: Red Hat Enterprise Linux 6 Reporter: Prasanth <pprakash>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: high    
Version: 6.7CC: dwalsh, lvrabec, madam, mgrepl, mmalik, nlevinki, plautrba, pprakash, pvrabec, rcyriac, rhs-smb, sbhaloth, ssekidde, tlavigne
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-279.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1235613
: 1248526 (view as bug list) Environment:
Last Closed: 2016-05-10 19:58:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1235613    
Bug Blocks: 1212796, 1248526    

Description Prasanth 2015-06-25 11:56:04 UTC 
+++ This bug was initially created as a clone of Bug #1235613 +++

Description of problem:
**************************************
CTDB nodes not coming to healthy state after starting ctdb service.
SELinux is set to enforcing.

type=AVC msg=audit(06/25/2015 02:45:46.844:2625) : avc:  denied  { write } for  pid=22921 comm=net name=ctdbd.socket dev=dm-0 ino=1443389 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file 

If we check the context for socket file :
srwx------. root root unconfined_u:object_r:var_run_t:s0 /var/run/ctdb/ctdbd.socket

after running restorecon -R -v /var/run/ctdb/ctdbd.socket we are again getting the correct context..

After analysis and debugging from development team it looks like the ctdb context has to be set on /usr/sbin/ctdbd_wrapper because this is creating the /var/run/ctdb directory and it will apply the context on the contents of this directory.
When we tried to set the context for /usr/sbin/ctdbd_wrapper , remove /var/run/ctdb and then start ctdb service it works fine.

so we need same attributes to be set for /usr/sbin/ctdbd_wrapper as it is done for /usr/sbin/ctdbd.

Version-Release number of selected component (if applicable):
rpm -qa | grep ctdb
ctdb2.5-2.5.5-2.el6rhs.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install RHEL6.7 , latest gluster rpms, latest samba and ctdb rpms
2. Do ctdb setup
3. Start ctdb service 

Actual results:
CTDB fails to start smb service and remains in UNHEALTHY state.

Expected results:
CTDB should be able to start smb service and should come to HEALTHY state.


Additional info:

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-06-25 06:23:02 EDT ---

This bug is automatically being proposed for Red Hat Gluster Storage 3.1.0 by setting the release flag 'rhgs‑3.1.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.

--- Additional comment from surabhi on 2015-06-25 06:45:16 EDT ---
Comment 1 Milos Malik 2015-06-25 12:28:07 UTC 
It would be better when the /var/run/ctdb directory was part of ctdb RPM package. The directory would be labeled correctly during the package installation. The ctdbd.socket file in /var/run/ctdb directory would inherit its label from the directory, which is default behavior.
Comment 2 Miroslav Grepl 2015-06-26 08:12:37 UTC 
Yes, how Milos wrote above. Is there a chance to add /var/run/ctdb to Gluster RPM? 

For what is /usr/sbin/ctdbd_wrapper? When is it started? If we add a labeling it could cause additional issue.
Comment 3 Prasanth 2015-06-26 10:56:35 UTC 
(In reply to Miroslav Grepl from comment #2)
> Yes, how Milos wrote above. Is there a chance to add /var/run/ctdb to
> Gluster RPM? 
> 
> For what is /usr/sbin/ctdbd_wrapper? When is it started? If we add a
> labeling it could cause additional issue.

Setting needinfo on Surabhi for providing the above requested details.
Comment 4 Michael Adam 2015-06-29 10:42:10 UTC 
(In reply to Prasanth from comment #3)
> (In reply to Miroslav Grepl from comment #2)
> > Yes, how Milos wrote above. Is there a chance to add /var/run/ctdb to
> > Gluster RPM? 

/var/run/ctdb belongs to the ctdb RPM, not the gluster RPM.
Adding it to gluster would be really strange.

> > For what is /usr/sbin/ctdbd_wrapper? When is it started? If we add a
> > labeling it could cause additional issue.

ctdbd_wrapper is a wrapper around ctdbd which sets a few command line options for ctdbd and also creates /var/run/ctdb if it does not exist. ctdbd_wrapper is the recommended and supported way of starting ctdbd.

I personally have no problem with /var/run/ctdb belonging to the ctdb RPM and having the it created by package install - it would be a good idea. Still, if the directory gets removed (by accident or whyever), then ctdbd_wrapper would re-create it. Hence I think we need the setting for ctdbd_wrapper nonetheless.
Comment 5 Miroslav Grepl 2015-06-29 11:13:39 UTC 
Sure, it should be a part of ctdbd RPM.

Is this a shell script? 

Could you call 

restorecon -v /var/run/ctdb

after it is created?
Comment 6 Michael Adam 2015-06-29 11:23:59 UTC 
(In reply to Miroslav Grepl from comment #5)
> Sure, it should be a part of ctdbd RPM.

Ok, great. Agreement here.

> Is this a shell script? 

Yes.

> Could you call 
> 
> restorecon -v /var/run/ctdb
> 
> after it is created?

You mean inside the shell script, after
running mkdir /var/run/ctdb, run the above
restorecon command?

In theory that is possible, but this script
is part of the upstream tarball. We _could_
patch it for a start.

And we would also need start discussing with
upstream, whether to include selinux specific calls.
It feels slightly out of place in this script, in
that it seems at least slightly distribution-specific.

What are the dangers or problems associated with
giving ctdbd_wrapper the needed state/perms?
Comment 7 Michael Adam 2015-07-03 09:19:07 UTC 
Any update?
Comment 8 Miroslav Grepl 2015-07-07 11:08:42 UTC 
Ok we just need to test it to see we don't get additional AVCs with

chcon -t ctdbd_exec_t /usr/sbin/ctdbd_wrapper

The point is it should be really covered by ctdb package. This wrapper is more init script and we should not label init scripts like binaries.
Comment 9 Miroslav Grepl 2015-07-10 07:11:24 UTC 
/usr/sbin/ctdbd_wrapper                            all files          system_u:object_r:ctdbd_exec_t:s0 
/var/log/core(/.*)?                                all files          system_u:object_r:virt_cache_t:s0 
/var/run/ctdb(/.*)?                                all files          system_u:object_r:ctdbd_var_run_t:s0 
[root@dhcp159-143 ~]# matchpathcon /usr/sbin/ctdbd_wrapper
/usr/sbin/ctdbd_wrapper	system_u:object_r:ctdbd_exec_t:s0
[root@dhcp159-143 ~]# ls -Z /usr/sbin/ctdbd_wrapper
-rwxr-xr-x. root root system_u:object_r:ctdbd_exec_t:s0 /usr/sbin/ctdbd_wrapper

It looks correct to me.

Basically we don't care about unconfined_u. It means a label has been changed by a user.

The problem is we see unconfined_t instead of ctdbd_t for ctdbd process.
Comment 10 Miroslav Grepl 2015-07-10 07:17:15 UTC 
Also I see

#service ctdb start
#ps -eZ|grep ctdb
unconfined_u:system_r:ctdbd_t:s0 20047 ?       00:00:00 ctdbd
unconfined_u:system_r:ctdbd_t:s0 20200 ?       00:00:00 ctdb_recovered

So it looks correct. It means you need to start it without init script.
Comment 11 Michael Adam 2015-07-10 07:18:09 UTC 
(In reply to Miroslav Grepl from comment #9)
> /usr/sbin/ctdbd_wrapper                            all files         
> system_u:object_r:ctdbd_exec_t:s0 
> /var/log/core(/.*)?                                all files         
> system_u:object_r:virt_cache_t:s0 
> /var/run/ctdb(/.*)?                                all files         
> system_u:object_r:ctdbd_var_run_t:s0 
> [root@dhcp159-143 ~]# matchpathcon /usr/sbin/ctdbd_wrapper
> /usr/sbin/ctdbd_wrapper	system_u:object_r:ctdbd_exec_t:s0
> [root@dhcp159-143 ~]# ls -Z /usr/sbin/ctdbd_wrapper
> -rwxr-xr-x. root root system_u:object_r:ctdbd_exec_t:s0
> /usr/sbin/ctdbd_wrapper
> 
> It looks correct to me.
> 
> Basically we don't care about unconfined_u. It means a label has been
> changed by a user.
> 
> The problem is we see unconfined_t instead of ctdbd_t for ctdbd process.



Wait! We have set all the system_u flags manually with chcon.
They all were at unconfined_u.
Also, should this comment have gone into BZ #1235613 ?
Comment 17 errata-xmlrpc 2016-05-10 19:58:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html