Bug 1291194 - (RHEL7) CTDB: SELinux: AVC's triggered while executing smbcontrol via 49.winbind script
(RHEL7) CTDB: SELinux: AVC's triggered while executing smbcontrol via 49.winb...
Status: NEW
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: samba (Show other bugs)
3.1
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: rhs-smb@redhat.com
storage-qa-internal@redhat.com
: ZStream
Depends On:
Blocks: 1292783 1268895 1293784 1293785
  Show dependency treegraph
 
Reported: 2015-12-14 04:28 EST by surabhi
Modified: 2017-12-03 13:21 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
Current SELinux policy prevents ctdb's 49.winbind event script from executing smbcontrol. This can create inconsistent state in winbind, because when a public IP address is moved away from a node, winbind fails to drop connections made through that IP address.
Story Points: ---
Clone Of:
: 1292783 1293784 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description surabhi 2015-12-14 04:28:03 EST
Description of problem:
*************************************************

1.when disablescript 49.winbind is executed and stopped winbind service where CTDB_MANAGES_WINBIND = yes
2. disablescript 50.samba executed and stopped smb service where CTDB_MANAGES_SAMBA= yes

the avc's are seen which shows ctdbd tries to execute smbcontrol and in ctdb logs there are permission errors.

the following AVC's are seen and the messages in ctdb logs:
*****************************************************************

type=AVC msg=audit(1450103321.941:71909): avc:  denied  { sigchld } for  pid=11716 comm="49.winbind" scontext=system_u:system_r:smbcontrol_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=process
type=AVC msg=audit(1450103321.941:71910): avc:  denied  { sigchld } for  pid=11225 comm="49.winbind" scontext=system_u:system_r:smbcontrol_t:s0 tcontext=system_u:system:

This is log from ctdb which shows the ctdb scriptstatus:

*****************************************************************
2015/12/14 19:58:59.021033 [22865]: Event script '49.winbind takeip eth0 10.70.47.175 22' timed out after 29.9s, count: 0, pid: 11715
2015/12/14 19:58:59.021071 [22865]: Ignoring hung script for eth0 10.70.47.175 22 call 5
2015/12/14 19:58:59.115333 [22865]: Hung-script: ===== Start of hung script debug for PID="11715", event="takeip" =====
2015/12/14 19:58:59.115365 [22865]: Hung-script: pstree -p -a 11715:
2015/12/14 19:58:59.134471 [22865]: Hung-script: /proc/1: Permission denied
2015/12/14 19:58:59.134658 [22865]: Hung-script: 
2015/12/14 19:58:59.182444 [22865]: Hung-script: ---- ctdb scriptstatus takeip: ----
2015/12/14 19:58:59.199553 [22865]: Hung-script: 11 scripts were executed last takeip cycle
2015/12/14 19:58:59.199662 [22865]: Hung-script: 00.ctdb              Status:OK    Duration:0.017 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199703 [22865]: Hung-script: 01.reclock           Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199735 [22865]: Hung-script: 10.interface         Status:OK    Duration:0.026 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199766 [22865]: Hung-script: 11.natgw             Status:OK    Duration:0.012 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199796 [22865]: Hung-script: 11.routing           Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199826 [22865]: Hung-script: 13.per_ip_routing    Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199855 [22865]: Hung-script: 20.multipathd        Status:OK    Duration:0.010 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199884 [22865]: Hung-script: 31.clamd             Status:OK    Duration:0.015 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199909 [22865]: Hung-script: 40.fs_use            Status:DISABLED    
2015/12/14 19:58:59.199939 [22865]: Hung-script: 40.vsftpd            Status:OK    Duration:0.013 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.199968 [22865]: Hung-script: 41.httpd             Status:OK    Duration:0.011 Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.200000 [22865]: Hung-script: 49.winbind           Status:TIMEDOUT    Mon Dec 14 19:58:29 2015
2015/12/14 19:58:59.200022 [22865]: Hung-script:    OUTPUT:
2015/12/14 19:58:59.204283 [22865]: Hung-script: ===== End of hung script debug for PID="11715", event="takeip" =====


Version-Release number of selected component (if applicable):
ctdb-4.2.4-6.el7rhgs.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Explained in description
2.
3.

Actual results:
AVC's seen when ctdb disbalescript 49.winbind is executed and service winbind is stopped , it tries to execute smbcontrol which throws avc's.

Expected results:
There should not be any AVC's seen.

Additional info:
Comment 2 Michael Adam 2015-12-21 15:28:18 EST
We really should have some fix or workaround for this.

Ultimately this needs to be fixed in RHEL selinux policy, as far as I can tell, but this is broken in RHGS installs using CTDB_MANAGES_WINBIND for CTDB.
Comment 3 Michael Adam 2015-12-22 07:03:12 EST
The new ad documentation guide documents to use CTDB_MANAGES_WINBIND=yes and this was a possiblity before. This bug will prevent this setup from fully working. It is important to 

1. get it fixed in RHEL
2. if possible get a workaround (in the form of a local policy?) in the samba RPM.
Comment 5 Michael Adam 2016-02-01 17:52:05 EST
"prevents smbcontrol from using ctdb's 49.winbind event script" is wrong.

Correct is:

"prevents ctdb's 49.winbind event script from executing smbcontrol"
Comment 7 Michael Adam 2016-02-03 07:00:30 EST
Thanks, the text is good now!

Note You need to log in before you can comment on or make changes to this bug.