1235637 – [SELinux] SMB: SELinux policy to be set for /usr/sbin/ctdbd_wrapper -RHEL-7.2

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1235637 - [SELinux] SMB: SELinux policy to be set for /usr/sbin/ctdbd_wrapper -RHEL-7.2

Summary: [SELinux] SMB: SELinux policy to be set for /usr/sbin/ctdbd_wrapper -RHEL-7.2

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	1235613
Blocks:	1212796
TreeView+	depends on / blocked

Reported:	2015-06-25 11:56 UTC by Prasanth
Modified:	2015-07-03 07:38 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1235613
Environment:
Last Closed:	2015-07-03 07:38:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Prasanth 2015-06-25 11:56:07 UTC

+++ This bug was initially created as a clone of Bug #1235613 +++

Description of problem:
**************************************
CTDB nodes not coming to healthy state after starting ctdb service.
SELinux is set to enforcing.

type=AVC msg=audit(06/25/2015 02:45:46.844:2625) : avc:  denied  { write } for  pid=22921 comm=net name=ctdbd.socket dev=dm-0 ino=1443389 scontext=unconfined_u:system_r:samba_net_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file 

If we check the context for socket file :
srwx------. root root unconfined_u:object_r:var_run_t:s0 /var/run/ctdb/ctdbd.socket

after running restorecon -R -v /var/run/ctdb/ctdbd.socket we are again getting the correct context..

After analysis and debugging from development team it looks like the ctdb context has to be set on /usr/sbin/ctdbd_wrapper because this is creating the /var/run/ctdb directory and it will apply the context on the contents of this directory.
When we tried to set the context for /usr/sbin/ctdbd_wrapper , remove /var/run/ctdb and then start ctdb service it works fine.

so we need same attributes to be set for /usr/sbin/ctdbd_wrapper as it is done for /usr/sbin/ctdbd.

Version-Release number of selected component (if applicable):
rpm -qa | grep ctdb
ctdb2.5-2.5.5-2.el6rhs.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install RHEL6.7 , latest gluster rpms, latest samba and ctdb rpms
2. Do ctdb setup
3. Start ctdb service 

Actual results:
CTDB fails to start smb service and remains in UNHEALTHY state.

Expected results:
CTDB should be able to start smb service and should come to HEALTHY state.


Additional info:

--- Additional comment from Red Hat Bugzilla Rules Engine on 2015-06-25 06:23:02 EDT ---

This bug is automatically being proposed for Red Hat Gluster Storage 3.1.0 by setting the release flag 'rhgs‑3.1.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.

--- Additional comment from surabhi on 2015-06-25 06:45:16 EDT ---

Comment 1 Milos Malik 2015-06-25 12:29:20 UTC

It would be better when the /var/run/ctdb directory was part of ctdb RPM package. The directory would be labeled correctly during the package installation. The ctdbd.socket file in /var/run/ctdb directory would inherit its label from the directory, which is default behavior.

Comment 3 Miroslav Grepl 2015-07-03 07:38:23 UTC

This is not selinux-policy bug.

Note You need to log in before you can comment on or make changes to this bug.