Bug 1255020 - watchdog.d and python script
watchdog.d and python script
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.1
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks: 1293384
  Show dependency treegraph
 
Reported: 2015-08-19 08:48 EDT by Marek Grac
Modified: 2015-12-21 10:51 EST (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-50.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1293384 (view as bug list)
Environment:
Last Closed: 2015-11-19 05:43:55 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux module (2.33 KB, application/octet-stream)
2015-08-19 08:49 EDT, Marek Grac
no flags Details
symlink.te (1.12 KB, text/plain)
2015-08-19 08:49 EDT, Marek Grac
no flags Details
AVC (17.30 KB, text/plain)
2015-08-19 10:32 EDT, Marek Grac
no flags Details

  None (edit)
Description Marek Grac 2015-08-19 08:48:20 EDT
fence_scsi_check.pl (.pl for historical reasons, it is python in 7.1) should be symlinked/copied to /etc/watchdog.d/. If binary is copied there it works as expected but python script is not working.

Steps to reproduce:

1. yum install watchdog fence-agents-scsi
2. ln -s /usr/share/cluster/fence_scsi_check.pl /etc/watchdog.d
or 'cp' instead of 'ln -s'
3. systemctl start watchdog

machine should be not be rebooted immediately.
Comment 1 Marek Grac 2015-08-19 08:49:32 EDT
Created attachment 1064823 [details]
SELinux module
Comment 2 Marek Grac 2015-08-19 08:49:56 EDT
Created attachment 1064824 [details]
symlink.te
Comment 3 Marek Grac 2015-08-19 08:50:57 EDT
Operation that have to be allowed are in attachment.
Comment 5 Miroslav Grepl 2015-08-19 09:02:19 EDT
Well AVCs would be much better. I believe it should be running under watchdog script domain.

If you just add

allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;

how does it look?
Comment 6 Marek Grac 2015-08-19 10:32:18 EDT
allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;

ends with rebooted machine and there are no AVC there - very likely because of reboot.
Comment 7 Marek Grac 2015-08-19 10:32:44 EDT
Created attachment 1064898 [details]
AVC

obtained AVCs
Comment 8 Miroslav Grepl 2015-08-21 03:56:11 EDT
Ok so the point is we have fence_scsi_check.pl symlink which points to /usr/share/cluster/fence_scsi_check.pl which is labeled as bin_t and all accesses are now needed for watchdog_t.

Do we need it for 7.2?
Comment 9 Marek Grac 2015-08-21 08:03:02 EDT
yes, 7.2 will be great. 

It is possible that we will request also 7.1.z but it will depends on how much GSS like workaround with semanage.
Comment 10 Miroslav Grepl 2015-08-24 12:05:07 EDT
Marek,
what does

rpm -qf /usr/share/cluster/fence_scsi_check.pl

? 

Is this script also used by other apps? The point is we could just change labeling from bin_t to watchdog_unconfined_exec_t and it would work. 

If it is not possible, we could talk about a new boolean to have rules coming from random scripts under watchdog_t.
Comment 11 Lukas Vrabec 2015-08-24 19:55:29 EDT
Mirek,




Hi Marek!

Could you reproduce it with this local policy? 

At First use:
# chcon -t fenced_exec_t /usr/share/cluster/fence_scsi_check.pl

# cat mymodule.te 
policy_module(mymodule 1.0);

require {
	type watchdog_unconfined_exec_t;
	type watchdog_t;
	type fenced_t;
}

#============= watchdog_t ==============
allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;
allow fenced_t watchdog_unconfined_exec_t:lnk_file read;

corecmd_exec_bin(fenced_t)
corecmd_exec_bin(watchdog_t)

optional_policy(`
	libs_exec_ldconfig(fenced_t)
')

optional_policy(`
	rhcs_domtrans_fenced(watchdog_t)
')

# make -f /usr/share/selinux/devel/Makefile mymodule.pp
# semodule -i mymodule.pp

I tried it with both options (cp and ln) and I'm without AVCs.
Comment 13 Marek Grac 2015-08-26 12:27:46 EDT
(In reply to Miroslav Grepl from comment #10)
> Marek,
> what does
> 
> rpm -qf /usr/share/cluster/fence_scsi_check.pl
> 
> ? 

fence-agents-common-4.0.11-23.el7.x86_64
fence-agents-scsi-4.0.11-23.el7.x86_64

> Is this script also used by other apps? The point is we could just change
> labeling from bin_t to watchdog_unconfined_exec_t and it would work. 

No, it makes minimal sense to use this script in other application as it is written directly as watchdog script. There will be at least one other script that will be in 7.3 (already in 6.7) which will be used in similar way. But there should not be dozens of them.


> If it is not possible, we could talk about a new boolean to have rules
> coming from random scripts under watchdog_t.
Comment 14 Marek Grac 2015-08-26 12:31:42 EDT
@Lukas:

policy is working for me.
Comment 18 Lukas Vrabec 2015-08-27 11:00:00 EDT
commit 4ae305b3e8945dccbdb510127ee1fbb6bf05292e
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Aug 27 16:50:16 2015 +0200

    Allow watchdog execute fenced python script.
    Resolves: #1255020

commit 1cd2c2f5b47b90666c97e97d97a7c9e6fc02c4cf
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Aug 27 16:46:24 2015 +0200

    Added inferface watchdog_unconfined_exec_read_lnk_files()
Comment 28 errata-xmlrpc 2015-11-19 05:43:55 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.