Bug 1291194 - (RHEL7) SELinux prevents ctdb from running commands to disable event scripts
Summary: (RHEL7) SELinux prevents ctdb from running commands to disable event scripts
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: samba
Version: rhgs-3.3
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Anoop C S
QA Contact: storage-qa-internal@redhat.com
URL:
Whiteboard:
Depends On: 1572584
Blocks: 1268895 1293784
TreeView+ depends on / blocked
 
Reported: 2015-12-14 09:28 UTC by surabhi
Modified: 2018-11-06 10:26 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-199.el7
Doc Type: Known Issue
Doc Text:
Current SELinux policy prevents ctdb's 49.winbind event script from executing smbcontrol. This can create inconsistent state in winbind, because when a public IP address is moved away from a node, winbind fails to drop connections made through that IP address.
Clone Of:
: 1292783 1293784 1572584 (view as bug list)
Environment:
Last Closed: 2018-11-06 10:26:00 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1560732 0 unspecified CLOSED Commands to enable and disable CTDB scripts are incorrect 2021-02-22 00:41:40 UTC

Internal Links: 1560732

Description surabhi 2015-12-14 09:28:03 UTC 
Description of problem:
*************************************************

1.when disablescript 49.winbind is executed and stopped winbind service where CTDB_MANAGES_WINBIND = yes
2. disablescript 50.samba executed and stopped smb service where CTDB_MANAGES_SAMBA= yes

the avc's are seen which shows ctdbd tries to execute smbcontrol and in ctdb logs there are permission errors.

the following AVC's are seen and the messages in ctdb logs:
*****************************************************************

type=AVC msg=audit(1450103321.941:71909): avc:  denied  { sigchld } for  pid=11716 comm="49.winbind" scontext=system_u:system_r:smbcontrol_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=process
type=AVC msg=audit(1450103321.941:71910): avc:  denied  { sigchld } for  pid=11225 comm="49.winbind" scontext=system_u:system_r:smbcontrol_t:s0 tcontext=system_u:system:

This is log from ctdb which shows the ctdb scriptstatus:

*****************************************************************
2015/12/14 19:58:59.021033 [22865]: Event script '49.winbind takeip eth0 10.70.47.175 22' timed out after 29.9s, count: 0, pid: 11715
2015/12/14 19:58:59.021071 [22865]: Ignoring hung script for eth0 10.70.47.175 22 call 5
2015/12/14 19:58:59.115333 [22865]: Hung-script: ===== Start of hung script debug for PID="11715", event="takeip" =====
2015/12/14 19:58:59.115365 [22865]: Hung-script: pstree -p -a 11715:
2015/12/14 19:58:59.134471 [22865]: Hung-script: /proc/1: Permission denied
2015/12/14 19:58:59.134658 [22865]: Hung-script: 
2015/12/14 19:58:59.182444 [22865]: Hung-script: ---- ctdb scriptstatus takeip: ----
2015/12/14 19:58:59.199553 [22865]: Hung-script: 11 scripts were executed last takeip cycle
2015/12/14 19:58:59.199662 [22865]: Hung-script: 00.ctdb              Status:OK    Duration:0.017 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199703 [22865]: Hung-script: 01.reclock           Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199735 [22865]: Hung-script: 10.interface         Status:OK    Duration:0.026 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199766 [22865]: Hung-script: 11.natgw             Status:OK    Duration:0.012 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199796 [22865]: Hung-script: 11.routing           Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199826 [22865]: Hung-script: 13.per_ip_routing    Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199855 [22865]: Hung-script: 20.multipathd        Status:OK    Duration:0.010 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199884 [22865]: Hung-script: 31.clamd             Status:OK    Duration:0.015 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199909 [22865]: Hung-script: 40.fs_use            Status:DISABLED    
2015/12/14 19:58:59.199939 [22865]: Hung-script: 40.vsftpd            Status:OK    Duration:0.013 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199968 [22865]: Hung-script: 41.httpd             Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.200000 [22865]: Hung-script: 49.winbind           Status:TIMEDOUT    Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.200022 [22865]: Hung-script:    OUTPUT:
2015/12/14 19:58:59.204283 [22865]: Hung-script: ===== End of hung script debug for PID="11715", event="takeip" =====


Version-Release number of selected component (if applicable):
ctdb-4.2.4-6.el7rhgs.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Explained in description
2.
3.

Actual results:
AVC's seen when ctdb disbalescript 49.winbind is executed and service winbind is stopped , it tries to execute smbcontrol which throws avc's.

Expected results:
There should not be any AVC's seen.

Additional info:
Comment 2 Michael Adam 2015-12-21 20:28:18 UTC 
We really should have some fix or workaround for this.

Ultimately this needs to be fixed in RHEL selinux policy, as far as I can tell, but this is broken in RHGS installs using CTDB_MANAGES_WINBIND for CTDB.
Comment 3 Michael Adam 2015-12-22 12:03:12 UTC 
The new ad documentation guide documents to use CTDB_MANAGES_WINBIND=yes and this was a possiblity before. This bug will prevent this setup from fully working. It is important to 

1. get it fixed in RHEL
2. if possible get a workaround (in the form of a local policy?) in the samba RPM.
Comment 5 Michael Adam 2016-02-01 22:52:05 UTC 
"prevents smbcontrol from using ctdb's 49.winbind event script" is wrong.

Correct is:

"prevents ctdb's 49.winbind event script from executing smbcontrol"
Comment 7 Michael Adam 2016-02-03 12:00:30 UTC 
Thanks, the text is good now!
Comment 12 Amar Tumballi 2018-04-19 04:17:13 UTC 
Closed the samba bugs in bulk when PM_Score was less than 0. As the team was working on few of them, opening all of them.
Note You need to log in before you can comment on or make changes to this bug.