1290514 – (RHEL7) CTDB: SELinux: ctdb disablescript fails to execute because of SELinux avc's

Bug 1290514 - (RHEL7) CTDB: SELinux: ctdb disablescript fails to execute because of SELinux avc's

Summary: (RHEL7) CTDB: SELinux: ctdb disablescript fails to execute because of SELinux...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	samba
Sub Component:
Version:	rhgs-3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	RHGS 3.2.0
Assignee:	rhs-smb@redhat.com
QA Contact:	surabhi
Docs Contact:
URL:
Whiteboard:
Depends On:	1293788
Blocks:	1268895 1351522
TreeView+	depends on / blocked

Reported:	2015-12-10 17:25 UTC by surabhi
Modified:	2017-03-23 05:19 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.13.1-66.el7
Doc Type:	Known Issue
Doc Text:
Clone Of:
Clones:	1292781 1293788 (view as bug list)
Environment:
Last Closed:	2017-03-23 05:19:37 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0495	0	normal	SHIPPED_LIVE	Moderate: Red Hat Gluster Storage 3.2.0 samba security, bug fixes and enhancement update	2017-03-23 09:18:26 UTC

Description surabhi 2015-12-10 17:25:59 UTC

Description of problem:
While verifying the Ad integration documentation , executing following command fails on RHGS-samba server with CTDB.

#onnode all ctdb disablescript 49.winbind
# onnode all ctdb disablescript 50.samba


ctdb disablescript 50.samba
../ctdb/client/ctdb_client.c:4677 ctdb_control for disablescript failed
Unable to disable script 50.samba on node 0

log errors:
2015/12/10 16:04:28.425075 [22625]: Could not chmod /etc/ctdb/events.d/50.samba. Failed to disable script.

2015/12/10 17:19:10.749665 [16940]: Could not chmod /etc/ctdb/events.d/49.winbind. Failed to disable script.
2015/12/10 17:19:16.867862 [16940]: 49.winbind: ERROR: wbinfo -p returned error
2015/12/10 17:19:32.074212 [16940]: 49.winbind: ERROR: wbinfo -p returned error
2015/12/10 17:19:47.289260 [16940]: 49.winbind: ERROR: wbinfo -p returned error

Also when trying to add follwoing to ctdb config file to have ctdb manage winbind:
When CTDB_MANAGES_WINBIND=yes,the 49.winbind event script shows following AVC's:

type=AVC msg=audit(1449749209.744:88166): avc:  denied  { getattr } for  pid=11930 comm="49.winbind" path="/usr/bin/smbcontrol" dev="dm-0" ino=34684358 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:smbcontrol_exec_t:s0 tclass=file

Running "ctdb disablescript 49.winbind" and "ctdb enablescript 49.winbind"

type=AVC msg=audit(1449748690.806:87790): avc:  denied  { setattr } for  pid=16940 comm="ctdbd" name="49.winbind" dev="dm-0" ino=100891958 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file

Version-Release number of selected component (if applicable):
ctdb-4.2.4-6.el7rhgs.x86_64
samba-4.2.4-6.el7rhgs.x86_64
glusterfs-3.7.5-8.el7rhgs.x86_64
selinux-policy-targeted-3.13.1-60.el7.noarch
selinux-policy-3.13.1-60.el7.noarch

How reproducible:
when running 
# onnode all ctdb disablescript 49.winbind
# onnode all ctdb disablescript 50.samba


Steps to Reproduce:
1. Follow the Samba AD integration doc and run ctdb disablescript 49.winbind or ctdb disablescript 50.samba command and it fails to execute because of SELinux issues.
2.
3.

Actual results:
The command mentioned in AD-integration doc which disables winbind or samba script (so that CTDB doesn't go to unhealthy state when ctdb manages samba and winbind) fails with AVC errors.

Expected results:
The command should run successfully without throwing AVC's.
More details coming up shortly.

Additional info:

Comment 13 surabhi 2017-01-30 07:21:07 UTC

Verified on RHEl7 setup , now disable of ctdb scripts doesn't fail and is successfully executed. There are no AVC's seen on the system.
Marking the BZ verified.

selinux-policy-3.13.1-102.el7_3.7.noarch
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch

samba-4.4.6-4.el7rhgs.x86_64

Comment 15 errata-xmlrpc 2017-03-23 05:19:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0495.html

Note You need to log in before you can comment on or make changes to this bug.