Bug 1255020 - watchdog.d and python script
Summary: watchdog.d and python script
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1293384 1607798
TreeView+ depends on / blocked
 
Reported: 2015-08-19 12:48 UTC by Marek Grac
Modified: 2018-07-24 09:48 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-50.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1293384 (view as bug list)
Environment:
Last Closed: 2015-11-19 10:43:55 UTC
Target Upstream Version:


Attachments (Terms of Use)
SELinux module (2.33 KB, application/octet-stream)
2015-08-19 12:49 UTC, Marek Grac
no flags Details
symlink.te (1.12 KB, text/plain)
2015-08-19 12:49 UTC, Marek Grac
no flags Details
AVC (17.30 KB, text/plain)
2015-08-19 14:32 UTC, Marek Grac
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2300 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Marek Grac 2015-08-19 12:48:20 UTC
fence_scsi_check.pl (.pl for historical reasons, it is python in 7.1) should be symlinked/copied to /etc/watchdog.d/. If binary is copied there it works as expected but python script is not working.

Steps to reproduce:

1. yum install watchdog fence-agents-scsi
2. ln -s /usr/share/cluster/fence_scsi_check.pl /etc/watchdog.d
or 'cp' instead of 'ln -s'
3. systemctl start watchdog

machine should be not be rebooted immediately.

Comment 1 Marek Grac 2015-08-19 12:49:32 UTC
Created attachment 1064823 [details]
SELinux module

Comment 2 Marek Grac 2015-08-19 12:49:56 UTC
Created attachment 1064824 [details]
symlink.te

Comment 3 Marek Grac 2015-08-19 12:50:57 UTC
Operation that have to be allowed are in attachment.

Comment 5 Miroslav Grepl 2015-08-19 13:02:19 UTC
Well AVCs would be much better. I believe it should be running under watchdog script domain.

If you just add

allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;

how does it look?

Comment 6 Marek Grac 2015-08-19 14:32:18 UTC
allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;

ends with rebooted machine and there are no AVC there - very likely because of reboot.

Comment 7 Marek Grac 2015-08-19 14:32:44 UTC
Created attachment 1064898 [details]
AVC

obtained AVCs

Comment 8 Miroslav Grepl 2015-08-21 07:56:11 UTC
Ok so the point is we have fence_scsi_check.pl symlink which points to /usr/share/cluster/fence_scsi_check.pl which is labeled as bin_t and all accesses are now needed for watchdog_t.

Do we need it for 7.2?

Comment 9 Marek Grac 2015-08-21 12:03:02 UTC
yes, 7.2 will be great. 

It is possible that we will request also 7.1.z but it will depends on how much GSS like workaround with semanage.

Comment 10 Miroslav Grepl 2015-08-24 16:05:07 UTC
Marek,
what does

rpm -qf /usr/share/cluster/fence_scsi_check.pl

? 

Is this script also used by other apps? The point is we could just change labeling from bin_t to watchdog_unconfined_exec_t and it would work. 

If it is not possible, we could talk about a new boolean to have rules coming from random scripts under watchdog_t.

Comment 11 Lukas Vrabec 2015-08-24 23:55:29 UTC
Mirek,




Hi Marek!

Could you reproduce it with this local policy? 

At First use:
# chcon -t fenced_exec_t /usr/share/cluster/fence_scsi_check.pl

# cat mymodule.te 
policy_module(mymodule 1.0);

require {
	type watchdog_unconfined_exec_t;
	type watchdog_t;
	type fenced_t;
}

#============= watchdog_t ==============
allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;
allow fenced_t watchdog_unconfined_exec_t:lnk_file read;

corecmd_exec_bin(fenced_t)
corecmd_exec_bin(watchdog_t)

optional_policy(`
	libs_exec_ldconfig(fenced_t)
')

optional_policy(`
	rhcs_domtrans_fenced(watchdog_t)
')

# make -f /usr/share/selinux/devel/Makefile mymodule.pp
# semodule -i mymodule.pp

I tried it with both options (cp and ln) and I'm without AVCs.

Comment 13 Marek Grac 2015-08-26 16:27:46 UTC
(In reply to Miroslav Grepl from comment #10)
> Marek,
> what does
> 
> rpm -qf /usr/share/cluster/fence_scsi_check.pl
> 
> ? 

fence-agents-common-4.0.11-23.el7.x86_64
fence-agents-scsi-4.0.11-23.el7.x86_64

> Is this script also used by other apps? The point is we could just change
> labeling from bin_t to watchdog_unconfined_exec_t and it would work. 

No, it makes minimal sense to use this script in other application as it is written directly as watchdog script. There will be at least one other script that will be in 7.3 (already in 6.7) which will be used in similar way. But there should not be dozens of them.


> If it is not possible, we could talk about a new boolean to have rules
> coming from random scripts under watchdog_t.

Comment 14 Marek Grac 2015-08-26 16:31:42 UTC
@Lukas:

policy is working for me.

Comment 18 Lukas Vrabec 2015-08-27 15:00:00 UTC
commit 4ae305b3e8945dccbdb510127ee1fbb6bf05292e
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Aug 27 16:50:16 2015 +0200

    Allow watchdog execute fenced python script.
    Resolves: #1255020

commit 1cd2c2f5b47b90666c97e97d97a7c9e6fc02c4cf
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Aug 27 16:46:24 2015 +0200

    Added inferface watchdog_unconfined_exec_read_lnk_files()

Comment 28 errata-xmlrpc 2015-11-19 10:43:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html


Note You need to log in before you can comment on or make changes to this bug.