Bug 1290514 - (RHEL7) CTDB: SELinux: ctdb disablescript fails to execute because of SELinux avc's
(RHEL7) CTDB: SELinux: ctdb disablescript fails to execute because of SELinux...
Status: CLOSED ERRATA
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: samba (Show other bugs)
3.1
Unspecified Unspecified
unspecified Severity high
: ---
: RHGS 3.2.0
Assigned To: rhs-smb@redhat.com
surabhi
: ZStream
Depends On: 1293788
Blocks: 1268895 1351522
  Show dependency treegraph
 
Reported: 2015-12-10 12:25 EST by surabhi
Modified: 2017-03-23 01:19 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-66.el7
Doc Type: Known Issue
Doc Text:
Story Points: ---
Clone Of:
: 1292781 1293788 (view as bug list)
Environment:
Last Closed: 2017-03-23 01:19:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description surabhi 2015-12-10 12:25:59 EST
Description of problem:
While verifying the Ad integration documentation , executing following command fails on RHGS-samba server with CTDB.

#onnode all ctdb disablescript 49.winbind
# onnode all ctdb disablescript 50.samba


ctdb disablescript 50.samba
../ctdb/client/ctdb_client.c:4677 ctdb_control for disablescript failed
Unable to disable script 50.samba on node 0

log errors:
2015/12/10 16:04:28.425075 [22625]: Could not chmod /etc/ctdb/events.d/50.samba. Failed to disable script.

2015/12/10 17:19:10.749665 [16940]: Could not chmod /etc/ctdb/events.d/49.winbind. Failed to disable script.
2015/12/10 17:19:16.867862 [16940]: 49.winbind: ERROR: wbinfo -p returned error
2015/12/10 17:19:32.074212 [16940]: 49.winbind: ERROR: wbinfo -p returned error
2015/12/10 17:19:47.289260 [16940]: 49.winbind: ERROR: wbinfo -p returned error

Also when trying to add follwoing to ctdb config file to have ctdb manage winbind:
When CTDB_MANAGES_WINBIND=yes,the 49.winbind event script shows following AVC's:

type=AVC msg=audit(1449749209.744:88166): avc:  denied  { getattr } for  pid=11930 comm="49.winbind" path="/usr/bin/smbcontrol" dev="dm-0" ino=34684358 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file

Running "ctdb disablescript 49.winbind" and "ctdb enablescript 49.winbind"

type=AVC msg=audit(1449748690.806:87790): avc:  denied  { setattr } for  pid=16940 comm="ctdbd" name="49.winbind" dev="dm-0" ino=100891958 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file

Version-Release number of selected component (if applicable):
ctdb-4.2.4-6.el7rhgs.x86_64
samba-4.2.4-6.el7rhgs.x86_64
glusterfs-3.7.5-8.el7rhgs.x86_64
selinux-policy-targeted-3.13.1-60.el7.noarch
selinux-policy-3.13.1-60.el7.noarch

How reproducible:
when running 
# onnode all ctdb disablescript 49.winbind
# onnode all ctdb disablescript 50.samba


Steps to Reproduce:
1. Follow the Samba AD integration doc and run ctdb disablescript 49.winbind or ctdb disablescript 50.samba command and it fails to execute because of SELinux issues.
2.
3.

Actual results:
The command mentioned in AD-integration doc which disables winbind or samba script (so that CTDB doesn't go to unhealthy state when ctdb manages samba and winbind) fails with AVC errors.

Expected results:
The command should run successfully without throwing AVC's.
More details coming up shortly.

Additional info:
Comment 13 surabhi 2017-01-30 02:21:07 EST
Verified on RHEl7 setup , now disable of ctdb scripts doesn't fail and is successfully executed. There are no AVC's seen on the system.
Marking the BZ verified.

selinux-policy-3.13.1-102.el7_3.7.noarch
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch

samba-4.4.6-4.el7rhgs.x86_64
Comment 15 errata-xmlrpc 2017-03-23 01:19:37 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0495.html

Note You need to log in before you can comment on or make changes to this bug.