1255020 – watchdog.d and python script

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1255020 - watchdog.d and python script

Summary: watchdog.d and python script

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1293384 1607798
TreeView+	depends on / blocked

Reported:	2015-08-19 12:48 UTC by Marek Grac
Modified:	2018-07-24 09:48 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-50.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1293384 (view as bug list)
Environment:
Last Closed:	2015-11-19 10:43:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
SELinux module (2.33 KB, application/octet-stream) 2015-08-19 12:49 UTC, Marek Grac	no flags	Details
symlink.te (1.12 KB, text/plain) 2015-08-19 12:49 UTC, Marek Grac	no flags	Details
AVC (17.30 KB, text/plain) 2015-08-19 14:32 UTC, Marek Grac	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Marek Grac 2015-08-19 12:48:20 UTC

fence_scsi_check.pl (.pl for historical reasons, it is python in 7.1) should be symlinked/copied to /etc/watchdog.d/. If binary is copied there it works as expected but python script is not working.

Steps to reproduce:

1. yum install watchdog fence-agents-scsi
2. ln -s /usr/share/cluster/fence_scsi_check.pl /etc/watchdog.d
or 'cp' instead of 'ln -s'
3. systemctl start watchdog

machine should be not be rebooted immediately.

Comment 1 Marek Grac 2015-08-19 12:49:32 UTC

Created attachment 1064823 [details]
SELinux module

Comment 2 Marek Grac 2015-08-19 12:49:56 UTC

Created attachment 1064824 [details]
symlink.te

Comment 3 Marek Grac 2015-08-19 12:50:57 UTC

Operation that have to be allowed are in attachment.

Comment 5 Miroslav Grepl 2015-08-19 13:02:19 UTC

Well AVCs would be much better. I believe it should be running under watchdog script domain.

If you just add

allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;

how does it look?

Comment 6 Marek Grac 2015-08-19 14:32:18 UTC

allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;

ends with rebooted machine and there are no AVC there - very likely because of reboot.

Comment 7 Marek Grac 2015-08-19 14:32:44 UTC

Created attachment 1064898 [details]
AVC

obtained AVCs

Comment 8 Miroslav Grepl 2015-08-21 07:56:11 UTC

Ok so the point is we have fence_scsi_check.pl symlink which points to /usr/share/cluster/fence_scsi_check.pl which is labeled as bin_t and all accesses are now needed for watchdog_t.

Do we need it for 7.2?

Comment 9 Marek Grac 2015-08-21 12:03:02 UTC

yes, 7.2 will be great. 

It is possible that we will request also 7.1.z but it will depends on how much GSS like workaround with semanage.

Comment 10 Miroslav Grepl 2015-08-24 16:05:07 UTC

Marek,
what does

rpm -qf /usr/share/cluster/fence_scsi_check.pl

? 

Is this script also used by other apps? The point is we could just change labeling from bin_t to watchdog_unconfined_exec_t and it would work. 

If it is not possible, we could talk about a new boolean to have rules coming from random scripts under watchdog_t.

Comment 11 Lukas Vrabec 2015-08-24 23:55:29 UTC

Mirek,




Hi Marek!

Could you reproduce it with this local policy? 

At First use:
# chcon -t fenced_exec_t /usr/share/cluster/fence_scsi_check.pl

# cat mymodule.te 
policy_module(mymodule 1.0);

require {
	type watchdog_unconfined_exec_t;
	type watchdog_t;
	type fenced_t;
}

#============= watchdog_t ==============
allow watchdog_t watchdog_unconfined_exec_t:lnk_file read;
allow fenced_t watchdog_unconfined_exec_t:lnk_file read;

corecmd_exec_bin(fenced_t)
corecmd_exec_bin(watchdog_t)

optional_policy(`
	libs_exec_ldconfig(fenced_t)
')

optional_policy(`
	rhcs_domtrans_fenced(watchdog_t)
')

# make -f /usr/share/selinux/devel/Makefile mymodule.pp
# semodule -i mymodule.pp

I tried it with both options (cp and ln) and I'm without AVCs.

Comment 13 Marek Grac 2015-08-26 16:27:46 UTC

(In reply to Miroslav Grepl from comment #10)
> Marek,
> what does
> 
> rpm -qf /usr/share/cluster/fence_scsi_check.pl
> 
> ? 

fence-agents-common-4.0.11-23.el7.x86_64
fence-agents-scsi-4.0.11-23.el7.x86_64

> Is this script also used by other apps? The point is we could just change
> labeling from bin_t to watchdog_unconfined_exec_t and it would work. 

No, it makes minimal sense to use this script in other application as it is written directly as watchdog script. There will be at least one other script that will be in 7.3 (already in 6.7) which will be used in similar way. But there should not be dozens of them.


> If it is not possible, we could talk about a new boolean to have rules
> coming from random scripts under watchdog_t.

Comment 14 Marek Grac 2015-08-26 16:31:42 UTC

@Lukas:

policy is working for me.

Comment 18 Lukas Vrabec 2015-08-27 15:00:00 UTC

commit 4ae305b3e8945dccbdb510127ee1fbb6bf05292e
Author: Lukas Vrabec <lvrabec>
Date:   Thu Aug 27 16:50:16 2015 +0200

    Allow watchdog execute fenced python script.
    Resolves: #1255020

commit 1cd2c2f5b47b90666c97e97d97a7c9e6fc02c4cf
Author: Lukas Vrabec <lvrabec>
Date:   Thu Aug 27 16:46:24 2015 +0200

    Added inferface watchdog_unconfined_exec_read_lnk_files()

Comment 28 errata-xmlrpc 2015-11-19 10:43:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.