Bug 1260682 - avc running pacemaker tests (iptables, xtables)
avc running pacemaker tests (iptables, xtables)
Status: CLOSED DUPLICATE of bug 1243403
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-07 08:48 EDT by michal novacek
Modified: 2015-09-10 11:17 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-10 11:17:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description michal novacek 2015-09-07 08:48:38 EDT
Description of problem:
This probably has nothing to do with cluster but happens with our regular
cluster testing suites. 

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-47.el7.noarch

How reproducible: always

Actual results:
[root@virt-063 ~]# grep /run/xtables.lock /var/log/audit/audit.log
----> using /usr/tests/resource-STSRHTS28437.xml
type=AVC msg=audit(1441622449.862:782): avc:  denied  { open } for  pid=1591 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1441622449.862:783): avc:  denied  { lock } for  pid=1591 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1441622492.315:807): avc:  denied  { open } for  pid=1836 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1441622492.315:808): avc:  denied  { lock } for  pid=1836 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1441622550.980:845): avc:  denied  { open } for  pid=2063 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1441622550.980:846): avc:  denied  { lock } for  pid=2063 comm="iptables" path="/run/xtables.lock" dev="tmpfs" ino=33335 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
---

Expected results: no avc (rules added to default policy)

Additional info:

I'm running all iptables commands with '-w' which is probably the reason for the denials.

Creating allow rule from these denials solves the problem.

[root@virt-063 ~]# grep /run/xtables.lock | audit2allow -a
#============= iptables_t ==============
allow iptables_t var_run_t:file { read lock open };

[root@virt-063 ~]# grep /run/xtables.lock | audit2allow -a -M xtables
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i xtables.pp

[root@virt-063 ~]# semodule -i xtables.pp
Comment 2 Milos Malik 2015-09-07 09:17:47 EDT
The xtables.lock file is mislabeled. We need to find out, which process created it. restorecon -v /run/xtables.lock is able to correct the label.
Comment 3 Milos Malik 2015-09-07 09:43:23 EDT
Here is the reproducer:

# service NetworkManager stop
Redirecting to /bin/systemctl stop  NetworkManager.service
# service firewalld stop
Redirecting to /bin/systemctl stop  firewalld.service
# rm -f /run/xtables.lock 
# service iptables start
Redirecting to /bin/systemctl start  iptables.service
# ls -Z /run/xtables.lock 
ls: cannot access /run/xtables.lock: No such file or directory
# service ip6tables start
Redirecting to /bin/systemctl start  ip6tables.service
# ls -Z /run/xtables.lock 
ls: cannot access /run/xtables.lock: No such file or directory
# service firewalld start
Redirecting to /bin/systemctl start  firewalld.service
# ls -Z /run/xtables.lock 
-rw-------. root root system_u:object_r:var_run_t:s0   /run/xtables.lock
# 

A special policy module, which contains an auditallow rule, revealed which process created the xtables.lock file:
----
type=PATH msg=audit(09/07/2015 15:26:51.078:3156) : item=1 name=/run/xtables.lock inode=417551 dev=00:12 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(09/07/2015 15:26:51.078:3156) : item=0 name=/run/ inode=6608 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(09/07/2015 15:26:51.078:3156) :  cwd=/ 
type=SYSCALL msg=audit(09/07/2015 15:26:51.078:3156) : arch=x86_64 syscall=open success=yes exit=3 a0=0x4129fb a1=O_RDONLY|O_CREAT a2=0600 a3=0x7ffd7eccf3c0 items=2 ppid=10827 pid=10849 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip6tables exe=/usr/sbin/xtables-multi subj=system_u:system_r:unconfined_service_t:s0 key=(null) 
type=AVC msg=audit(09/07/2015 15:26:51.078:3156) : avc:  granted  { create } for  pid=10849 comm=ip6tables name=xtables.lock scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file 
----
Comment 4 Miroslav Grepl 2015-09-08 14:21:47 EDT
Which service does it causes and is running as unconfined_service_t?
Comment 5 Milos Malik 2015-09-09 05:34:27 EDT
I don't know. Here is another reproducer of the issue:

 * https://bugzilla.redhat.com/show_bug.cgi?id=1243403#c17
Comment 6 Miroslav Grepl 2015-09-10 11:17:33 EDT

*** This bug has been marked as a duplicate of bug 1243403 ***

Note You need to log in before you can comment on or make changes to this bug.