RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1289640 - Samba / CTDB SELinux issues when CTDB doesnt manage Samba
Summary: Samba / CTDB SELinux issues when CTDB doesnt manage Samba
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Robin Hack
URL:
Whiteboard:
Depends On:
Blocks: 1289642 1295396 1435708
TreeView+ depends on / blocked
 
Reported: 2015-12-08 16:04 UTC by Oyvind Albrigtsen
Modified: 2017-03-24 15:00 UTC (History)
13 users (show)

Fixed In Version: samba-4.4.4-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1289642 1435708 (view as bug list)
Environment:
Last Closed: 2016-11-04 06:58:25 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2468 0 normal SHIPPED_LIVE samba bug fix and enhancement update 2016-11-03 14:06:51 UTC
Samba Project 11577 0 None None None 2019-07-17 12:13:41 UTC

Description Oyvind Albrigtsen 2015-12-08 16:04:31 UTC
Description of problem:
Samba and CTDB has some SELinux issues when CTDB isnt managing Samba (I run it with Pacemaker).

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Setup CTDB and Samba with Pacemaker (I'll add the instructions for how to set it up)
2. pcs resource enable ctdb-clone
3. pcs resource samba-clone

Actual results:
SELinux errors regarding /etc/ctdb/event.d-scripts, /etc/ctdb/notify.sh and smbd fails to attach to ctdb secrets.tdb and to open /var/lib/samba/private/secrets.tdb

Expected results:
No issues

Additional info:
ausearch -m AVC in permissive mode:
    time->Tue Dec  8 14:59:33 2015
    type=SYSCALL msg=audit(1449583173.698:6319): arch=c000003e syscall=4 success=yes exit=0 a0=8844a0 a1=7ffe6b54ee00 a2=7ffe6b54ee00 a3=7ffe6b54eb70 items=0 ppid=11324 pid=11325 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="00.ctdb" exe="/usr/bin/bash" subj=system_u:system_r:ctdbd_t:s0 key=(null)
    type=AVC msg=audit(1449583173.698:6319): avc:  denied  { dac_override } for  pid=11325 comm="00.ctdb" capability=1  scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=capability
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.599:6322): arch=c000003e syscall=90 success=yes exit=0 a0=7f5db9cfd800 a1=180 a2=0 a3=9 items=0 ppid=1 pid=11858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.599:6322): avc:  denied  { setattr } for  pid=11858 comm="smbd" name="secrets.tdb.0" dev="dm-0" ino=264377 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.601:6323): arch=c000003e syscall=2 success=yes exit=5 a0=7f5db9cfd800 a1=2 a2=0 a3=7ffccdf39e00 items=0 ppid=1 pid=11858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.601:6323): avc:  denied  { open } for  pid=11858 comm="smbd" path="/var/ctdb/persistent/secrets.tdb.0" dev="dm-0" ino=264377 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_t:s0 tclass=file
    type=AVC msg=audit(1449583201.601:6323): avc:  denied  { read write } for  pid=11858 comm="smbd" name="secrets.tdb.0" dev="dm-0" ino=264377 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.601:6324): arch=c000003e syscall=72 success=yes exit=0 a0=5 a1=7 a2=7ffccdf39ff0 a3=6e items=0 ppid=1 pid=11858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.601:6324): avc:  denied  { lock } for  pid=11858 comm="smbd" path="/var/ctdb/persistent/secrets.tdb.0" dev="dm-0" ino=264377 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.601:6325): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7ffccdf3a0e0 a2=7ffccdf3a0e0 a3=7ffccdf39e00 items=0 ppid=1 pid=11858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.601:6325): avc:  denied  { getattr } for  pid=11858 comm="smbd" path="/var/ctdb/persistent/secrets.tdb.0" dev="dm-0" ino=264377 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ctdbd_var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.601:6326): arch=c000003e syscall=2 success=yes exit=21 a0=7fd289fdc880 a1=42 a2=180 a3=2 items=0 ppid=1 pid=9910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdbd" exe="/usr/sbin/ctdbd" subj=system_u:system_r:ctdbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.601:6326): avc:  denied  { open } for  pid=9910 comm="ctdbd" path="/var/ctdb/g_lock.tdb.0" dev="dm-0" ino=77706912 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
    type=AVC msg=audit(1449583201.601:6326): avc:  denied  { read write } for  pid=9910 comm="ctdbd" name="g_lock.tdb.0" dev="dm-0" ino=77706912 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.602:6327): arch=c000003e syscall=72 success=yes exit=0 a0=15 a1=7 a2=7ffd11222090 a3=fffffffc items=0 ppid=1 pid=9910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdbd" exe="/usr/sbin/ctdbd" subj=system_u:system_r:ctdbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.602:6327): avc:  denied  { lock } for  pid=9910 comm="ctdbd" path="/var/ctdb/g_lock.tdb.0" dev="dm-0" ino=77706912 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.602:6328): arch=c000003e syscall=5 success=yes exit=0 a0=15 a1=7ffd11222180 a2=7ffd11222180 a3=0 items=0 ppid=1 pid=9910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdbd" exe="/usr/sbin/ctdbd" subj=system_u:system_r:ctdbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.602:6328): avc:  denied  { getattr } for  pid=9910 comm="ctdbd" path="/var/ctdb/g_lock.tdb.0" dev="dm-0" ino=77706912 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.605:6329): arch=c000003e syscall=90 success=yes exit=0 a0=7f5db9cff130 a1=180 a2=0 a3=8 items=0 ppid=1 pid=11858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.605:6329): avc:  denied  { setattr } for  pid=11858 comm="smbd" name="g_lock.tdb.0" dev="dm-0" ino=77706912 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.605:6330): arch=c000003e syscall=2 success=yes exit=9 a0=7f5db9cff130 a1=2 a2=0 a3=2 items=0 ppid=1 pid=11858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.605:6330): avc:  denied  { open } for  pid=11858 comm="smbd" path="/var/ctdb/g_lock.tdb.0" dev="dm-0" ino=77706912 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
    type=AVC msg=audit(1449583201.605:6330): avc:  denied  { read write } for  pid=11858 comm="smbd" name="g_lock.tdb.0" dev="dm-0" ino=77706912 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.605:6331): arch=c000003e syscall=72 success=yes exit=0 a0=9 a1=7 a2=7ffccdf39ec0 a3=6e items=0 ppid=1 pid=11858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.605:6331): avc:  denied  { lock } for  pid=11858 comm="smbd" path="/var/ctdb/g_lock.tdb.0" dev="dm-0" ino=77706912 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:01 2015
    type=SYSCALL msg=audit(1449583201.605:6332): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffccdf39fb0 a2=7ffccdf39fb0 a3=ffffffff items=0 ppid=1 pid=11858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
    type=AVC msg=audit(1449583201.605:6332): avc:  denied  { getattr } for  pid=11858 comm="smbd" path="/var/ctdb/g_lock.tdb.0" dev="dm-0" ino=77706912 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
    ----
    time->Tue Dec  8 15:00:04 2015
    type=SYSCALL msg=audit(1449583204.394:6333): arch=c000003e syscall=4 success=yes exit=0 a0=16504a0 a1=7ffd9431e5b0 a2=7ffd9431e5b0 a3=7ffd9431e320 items=0 ppid=11930 pid=11933 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="00.ctdb" exe="/usr/bin/bash" subj=system_u:system_r:ctdbd_t:s0 key=(null)
    type=AVC msg=audit(1449583204.394:6333): avc:  denied  { dac_override } for  pid=11933 comm="00.ctdb" capability=1  scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=capability

Comment 1 Oyvind Albrigtsen 2015-12-08 16:22:35 UTC
Needed for: https://bugzilla.redhat.com/show_bug.cgi?id=1077888

For all nodes (pcmk-1 and pcmk-2 are example hostnames):
# yum install -y pacemaker pcs psmisc policycoreutils-python gfs2-utils dlm
# systemctl start pcsd
# systemctl enable pcsd
# passwd hacluster
pcs cluster auth pcmk-1 pcmk-2
Username: hacluster
Password:
pcs cluster setup --name mycluster pcmk-1 pcmk-2

Setup fencing (these instructions are for host/guests in KVM), so tell me if you need it for anything else: https://access.redhat.com/solutions/917833

# pcs resource create dlm controld op monitor interval=30s on-fail=fence clone interleave=true ordered=true

Verify that dlm is running on all nodes
# pcs status
Clone Set: dlm-clone [dlm]
Started: [ rhel7-ha-node1 rhel7-ha-node2 ]

Only on one node (the disk needs to be shared between the nodes):
Create gfs2 filesystem. In the example below 'pcmk' is the cluster name, be sure to replace 'pcmk' with the actual cluster name in use when creating the gfs2 filesystem. -j 2 defines number of journals and needs to be equal to the number of nodes.
# mkfs.gfs2 -p lock_dlm -j 2 -t pcmk:samba /dev/vdb
# pcs resource create fs Filesystem device="/dev/vdb" directory="/mnt/gfs2share" fstype="gfs2" --clone
# pcs constraint order dlm-clone then fs-clone
# pcs constraint colocation add fs-clone with dlm-clone

# systemctl disable ctdb
# systemctl disable smb
# systemctl disable nmb
# systemctl disable winbind
# systemctl stop ctdb
# systemctl stop smb
# systemctl stop nmb
# systemctl stop winbind

# cat << END > /etc/samba/smb.conf
[global]
netbios name = linuxserver
workgroup = WORKGROUP
server string = Public File Server
security = user
map to guest = bad user
guest account = smbguest
clustering = yes
ctdbd socket = /tmp/ctdb.socket
[public]
path = /mnt/gfs2share/public
guest ok = yes
read only = no
END

cat << END > /etc/ctdb/nodes
192.168.122.71
192.168.122.72
END

# groupadd -g 581 smbguest
# adduser smbguest -g smbguest

Only on one node:
# mkdir -p /mnt/gfs2share/ctdb
# mkdir -p /mnt/gfs2share/public
# chown smbguest:smbguest /mnt/gfs2share/public
# chmod 755 /mnt/gfs2share/public

# pcs cluster cib samba.cib
# pcs -f samba.cib resource create samba-ip IPaddr2 ip=192.168.122.201 cidr_netmask=32 --clone
# pcs -f samba.cib resource create ctdb CTDB ctdb_recovery_lock="/mnt/gfs2share/ctdb/ctdb.lock" ctdb_dbdir=/var/ctdb ctdb_socket=/tmp/ctdb.socket ctdb_logfile=/var/log/ctdb.log op monitor interval=10 timeout=30 op start timeout=90 op stop timeout=100 --clone
# pcs -f samba.cib resource create samba systemd:smb --clone
# pcs -f samba.cib constraint order fs-clone then ctdb-clone
# pcs -f samba.cib constraint order samba-ip-clone then ctdb-clone
# pcs -f samba.cib constraint order ctdb-clone then samba-clone
# pcs -f samba.cib constraint colocation add ctdb-clone with fs-clone
# pcs -f samba.cib constraint colocation add ctdb-clone with samba-ip-clone
# pcs -f samba.cib constraint colocation add samba-clone with ctdb-clone
# pcs cluster cib-push samba.cib

Comment 2 Miroslav Grepl 2015-12-18 15:24:20 UTC
What does

# restorecon -R -v /var/ctdb/

Comment 3 Oyvind Albrigtsen 2015-12-18 15:33:57 UTC
restorecon reset /var/ctdb/brlock.tdb.1 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/locking.tdb.1 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/leases.tdb.1 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/notify_index.tdb.1 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/smbXsrv_open_global.tdb.1 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/printer_list.tdb.1 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/g_lock.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/dbwrap_watchers.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/smbXsrv_version_global.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/smbXsrv_session_global.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/smbXsrv_tcon_global.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/brlock.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/locking.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/leases.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/notify_index.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/serverid.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/smbXsrv_open_global.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0
restorecon reset /var/ctdb/printer_list.tdb.0 context system_u:object_r:var_t:s0->system_u:object_r:ctdbd_var_t:s0

Comment 4 Miroslav Grepl 2016-01-14 09:59:16 UTC
Are you able to reproduce it? If yes, please reopen the bug. Thank you.

Comment 5 Oyvind Albrigtsen 2016-01-14 10:18:33 UTC
I tested after running "restorecon -R -v /var/ctdb/", and was still able to reproduce it.

Comment 6 Miroslav Grepl 2016-01-18 09:51:15 UTC
(In reply to Oyvind Albrigtsen from comment #5)
> I tested after running "restorecon -R -v /var/ctdb/", and was still able to
> reproduce it.

What are you able to reproduce? 

/var/ctdbd mislabeling?

Comment 7 Sumit Bose 2016-01-18 10:10:54 UTC
Besides the labeling of /var/ctdb/ there are other AVCs listed which should be fixed by setting the SELinux boolean samba_export_all_rw to true.

Comment 8 Oyvind Albrigtsen 2016-01-20 14:21:45 UTC
# setsebool samba_export_all_rw on

Makes it work, but I guess that shouldnt be necessary, right?

And I still get errors for the scripts in /etc/ctdb/events.d/, which I think should be fixed as well.

In permissive mode:
type=AVC msg=audit(1453298890.432:1790): avc:  denied  { dac_override } for  pid=17707 comm="00.ctdb" capability=1  scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1453298890.432:1790): arch=c000003e syscall=4 success=yes exit=0 a0=224f490 a1=7ffd0db65550 a2=7ffd0db65550 a3=7ffd0db652c0 items=0 ppid=17706 pid=17707 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="00.ctdb" exe="/usr/bin/bash" subj=system_u:system_r:ctdbd_t:s0 key=(null)
type=AVC msg=audit(1453298904.821:1791): avc:  denied  { dac_override } for  pid=18139 comm="00.ctdb" capability=1  scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1453298904.821:1791): arch=c000003e syscall=4 success=yes exit=0 a0=a5c490 a1=7ffede554a60 a2=7ffede554a60 a3=7ffede5547d0 items=0 ppid=18138 pid=18139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="00.ctdb" exe="/usr/bin/bash" subj=system_u:system_r:ctdbd_t:s0 key=(null)

Comment 9 Sumit Bose 2016-01-20 15:35:06 UTC
Hm, looks like some process wants the CAP_DAC_OVERRIDE capability which is only needed if there are issues with file permissions.

Michael, do you know if this capability is really needed here?

Comment 10 Michael Adam 2016-01-20 20:48:54 UTC
I came across a DAC_OVERRIDE thing once. But that was about opening the ro tracking db from ctdbd. fixed upstream: https://bugzilla.samba.org/show_bug.cgi?id=11577

But this is about the event scripts in /etc/ctdb/events.d/ . We _do_ need
selinux policies for these. Many of them (including the above mentioned 00.ctdb) are called also when ctdb does not manage samba.

There had been several selinux policy additions for RHEL triggered by the RHGS product. (Miroslav knows about these.) I am wondering if this one is still missing there, too... I find it always very difficult for me to make sense of the selinux messages, so any further explanation what's going on here is appreciated.

Comment 14 Robin Hack 2016-07-27 08:14:44 UTC
Sanity Only!

Comment 16 errata-xmlrpc 2016-11-04 06:58:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2468.html


Note You need to log in before you can comment on or make changes to this bug.