1238066 – libStorageMgmt: SELinux is preventing MegaRAID plugin

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1238066 - libStorageMgmt: SELinux is preventing MegaRAID plugin

Summary: libStorageMgmt: SELinux is preventing MegaRAID plugin

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Marek Haicman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1331750
TreeView+	depends on / blocked

Reported:	2015-07-01 06:42 UTC by Gris Ge
Modified:	2016-11-04 02:19 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.13.1-94.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1331750 (view as bug list)
Environment:
Last Closed:	2016-11-04 02:19:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Gris Ge 2015-07-01 06:42:15 UTC

Description of problem:
SELinux is stopping libstoragemgmt MegaRAID plugin
/usr/lib/python2.7/site-packages/lsm/plugin/megaraid/megaraid.py

That plugin will execute vendor binrary tool -- storcli to:

* Create /dev/megaraid_sas_ioctl_node char device 
  with major number 249(megaraid_sas_ioctl).
* Read sysfs files.
* Execute ioctl on /dev/megaraid_sas_ioctl_node.

Version-Release number of selected component (if applicable):
libstoragemgmt-1.2.3-2.el7.x86_64
libstoragemgmt-megaraid-plugin-1.2.3-2.el7.noarch
storcli-1.14.12-1.noarch (vendor binary tool)
selinux-policy-targeted-3.13.1-23.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Find a server with LSI MegaRAID card installed.
2. Download storcli from LSI website. (Don't use the buggy 1.15 release)
3. Install libstoragemgmt-megaraid-plugin-1.2.3-2.el7.noarch
3. Execute command `lsmcli ls -u megaraid://`

Actual results:
SELinux stopped the libstoragemgmt MegaRAID plugin.

Expected results:
MegaRAID plugin works well.

Additional info:
No sure SELinux should include policy for their party binrary tools or not.

There are 9 selinux messages, I will put them in the next comments.

Comment 1 Gris Ge 2015-07-01 07:02:34 UTC

I will postpone the log posting utile you guys decide to include SELinux policy
for third party binary tools.

Comment 4 Miroslav Grepl 2015-12-18 15:36:18 UTC

Could you attach SELinux messsages?

Thank you.

Comment 5 Gris Ge 2016-01-13 05:59:57 UTC

[root@storageqe-07 ~]# grep storcli /var/log/audit/audit.log 
type=AVC msg=audit(1452664291.807:87): avc:  denied  { create } for  pid=2524 comm="storcli64" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664291.807:87): arch=c000003e syscall=133 success=no exit=-13 a0=9e6c7a a1=2100 a2=f800 a3=29cef90 items=0 ppid=2523 pid=2524 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1452664291.817:88): avc:  denied  { create } for  pid=2525 comm="storcli64" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664291.817:88): arch=c000003e syscall=133 success=no exit=-13 a0=9e6c7a a1=2100 a2=f800 a3=2bf2350 items=0 ppid=2523 pid=2525 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1452664444.087:115): avc:  denied  { create } for  pid=2575 comm="storcli64" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664444.087:115): arch=c000003e syscall=133 success=yes exit=0 a0=9e6c7a a1=2100 a2=f800 a3=1146f90 items=0 ppid=2574 pid=2575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1452664444.087:116): avc:  denied  { read } for  pid=2575 comm="storcli64" name="megaraid_sas_ioctl_node" dev="devtmpfs" ino=20068 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1452664444.087:116): avc:  denied  { open } for  pid=2575 comm="storcli64" path="/dev/megaraid_sas_ioctl_node" dev="devtmpfs" ino=20068 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664444.087:116): arch=c000003e syscall=2 success=yes exit=5 a0=9e6c7a a1=0 a2=f800 a3=1146f90 items=0 ppid=2574 pid=2575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1452664444.087:117): avc:  denied  { ioctl } for  pid=2575 comm="storcli64" path="/dev/megaraid_sas_ioctl_node" dev="devtmpfs" ino=20068 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664444.087:117): arch=c000003e syscall=16 success=yes exit=0 a0=5 a1=c1944d01 a2=11495f0 a3=1149604 items=0 ppid=2574 pid=2575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1452664444.098:118): avc:  denied  { getattr } for  pid=2576 comm="storcli64" path="/dev/megaraid_sas_ioctl_node" dev="devtmpfs" ino=20068 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1452664444.098:118): arch=c000003e syscall=4 success=yes exit=0 a0=9e6c7a a1=7ffc21c07100 a2=7ffc21c07100 a3=2329350 items=0 ppid=2574 pid=2576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="storcli64" exe="/opt/MegaRAID/storcli/storcli64" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)


[root@storageqe-07 ~]# cat mypol.te

module mypol 1.0;

require {
        type lsmd_plugin_t;
        type device_t;
        class chr_file { read create open ioctl getattr };
}

#============= lsmd_plugin_t ==============
allow lsmd_plugin_t device_t:chr_file { read create open ioctl getattr };

Comment 6 Miroslav Grepl 2016-01-18 09:19:16 UTC

Is this a default plugin?

storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t)

will fix it. We probably want to think to make lsmd_plugin_t as untrusted - unconfined_domain.

Comment 7 Lukas Vrabec 2016-03-22 12:37:31 UTC

I'm going to add rule storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t) to the policy. If I find more troubles around this plugins, I'll make this domain unconfined.

Comment 8 Mike McCune 2016-03-28 22:59:28 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 10 Gris Ge 2016-04-15 12:30:18 UTC

(In reply to Miroslav Grepl from comment #6)
> Is this a default plugin?
> 
> storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t)
> 
> will fix it. We probably want to think to make lsmd_plugin_t as untrusted -
> unconfined_domain.

There is no default plugin for libstoragemgmt.
But since we ship this plugin along with others, maybe we should make sure
SELinux does not stop user from using this plugin.

Comment 11 Lukas Vrabec 2016-04-18 11:31:29 UTC

(In reply to Gris Ge from comment #10)
> (In reply to Miroslav Grepl from comment #6)
> > Is this a default plugin?
> > 
> > storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t)
> > 
> > will fix it. We probably want to think to make lsmd_plugin_t as untrusted -
> > unconfined_domain.
> 
> There is no default plugin for libstoragemgmt.
> But since we ship this plugin along with others, maybe we should make sure
> SELinux does not stop user from using this plugin.

Do we have more SELinux problems with libstoragemgmt plugins? We need to find balance between security/usability, so make libstoragemgmt as unconfined domain is last step here.

Comment 12 Gris Ge 2016-04-18 12:52:33 UTC

libstoragemgmt plugins:

 * libstoragemgmt-hpsa-plugin
   Invoke 'hpssacli' HP binary tool with root privilege. check bug #1238079 for detail.
 * libstoragemgmt-megaraid-plugin
   Invoke 'storcli' or 'perccli' from LSI/Dell binary tool with root privilege. Current bug.
 * libstoragemgmt-netapp-plugin
   Run as non-privilege user -- libstoragemgmt, access http/https service of NetApp array.
 * libstoragemgmt-nstor-plugin
   Run as non-privilege user -- libstoragemgmt, access 2000 or 8457 port of Nexenta array.
 * libstoragemgmt-smis-plugin
   Run as non-privilege user -- libstoragemgmt, access 5988 or 5989 port of SMI-S  provider.
 * libstoragemgmt-targetd-plugin
   Run as non-privilege user -- libstoragemgmt, access 18700 port of remote targetd daemon.
 * Build in plugin -- simc and sim, packaged in libstoragemgmt and libstoragemgmt-python
   Run as non-privilege user -- libstoragemgmt, read and write local file /tmp//lsm_sim_data.

Comment 13 Gris Ge 2016-04-18 12:55:27 UTC

We might have more SELinux issue as libstoragemgmt library might invoke SG_IO ioctl against /dev/sdX. Will report new bug and update here if found.

Besides that, I believe we are all good now on SELinux issue if this bug is fixed.

Comment 23 Marek Haicman 2016-09-13 15:53:49 UTC

Functional testing confirmed fix in the version selinux-policy-3.13.1-94.el7.noarch


Sanity check passing too.

:: [   INFO   ] ::     selinux-policy-3.13.1-97.el7.noarch
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1238066
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Result of matchpathcon /dev/megaraid_sas_ioctl_node should contain fixed_disk_device_t (Assert: expected 0, got 0)
:: [   INFO   ] :: checking rule 'type_transition lsmd_plugin_t device_t : chr_file fixed_disk_device_t megaraid_sas_ioctl_node'
:: [   PASS   ] ::   check permission 'fixed_disk_device_t' is present (Assert: '0' should equal '0')
:: [   INFO   ] :: checking rule 'allow lsmd_plugin_t ldconfig_exec_t:file { execute_no_trans getattr }'
:: [   PASS   ] ::   check permission 'execute_no_trans' is present (Assert: '0' should equal '0')
:: [   PASS   ] ::   check permission 'getattr' is present (Assert: '0' should equal '0')
:: [   INFO   ] :: checking rule 'allow lsmd_plugin_t fixed_disk_device_t:chr_file create'
:: [   PASS   ] ::   check permission 'create' is present (Assert: '0' should equal '0')
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: bz#1238066

Comment 25 errata-xmlrpc 2016-11-04 02:19:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.