1362693 – Carbon-cache not allowed to create and write /var/lib directory

Bug 1362693 - Carbon-cache not allowed to create and write /var/lib directory

Summary: Carbon-cache not allowed to create and write /var/lib directory

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Storage Console
Classification:	Red Hat Storage
Component:	core
Sub Component:
Version:	2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	3
Assignee:	Timothy Asir
QA Contact:	sds-qe-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1326788
TreeView+	depends on / blocked

Reported:	2016-08-02 21:44 UTC by Timothy Asir
Modified:	2019-10-22 07:23 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-23 04:06:16 UTC
Embargoed:

Attachments	(Terms of Use)

Description Timothy Asir 2016-08-02 21:44:37 UTC

Description of problem:
Carbon-cache not allowed to create and write /var/lib directory by selinux policy.

AVC Denial
type=AVC msg=audit(1469705553.928:1215): avc:  denied  { write } for  pid=11657 comm="carbon-cache" name="plugins" dev="vda2" ino=92276763 scontext=system_u:system_r:carbon_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
type=AVC msg=audit(1469705553.928:1215): avc:  denied  { create } for  pid=11657 comm="carbon-cache" name="G7_cpK7WB-scrOqHdropin.cache.new" scontext=system_u:system_r:carbon_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1469705553.929:1216): avc:  denied  { remove_name } for  pid=11657 comm="carbon-cache" name="G7_cpK7WB-scrOqHdropin.cache.new" dev="vda2" ino=92358149 scontext=system_u:system_r:carbon_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir

Additional info:
The default storage directory for carbon_cache is /var/lib/carbon and its local data directory is configured to /var/lib/carbon/whisper which is not allowed for any service to keep their regular data. This should be configured to either /usr/lib directory or any other directory.

Comment 2 Timothy Asir 2016-08-03 05:20:07 UTC

Change the default carbon data directory with SELinux enabled

Steps to fix this issue:
    1. Stop the carbon-cache service
    2. Create a new data directory and move the content
       from the old data directory
    3. Correct the carbon configuration file
    4. Adjust SELinux parameters to accept our new change
    5. Start the carbon-cache service

1. Stopping the carbon-cache service
this service can be stopped using "service carbon-cache stop"

2. Create a new data diretory and move the content from the old one
One can create a directory like /usr/lib/carbon or in /srv/carbon or in any other allowed places and move the old content from /var/lib/carbon.
ex:-
mkdir /usr/lib/carbon
chown carbon:carbon /usr/lib/carbon
mv /var/lib/carbon/* /usr/lib/carbon/ -avi

3. Correct the carbon configuration file
Edit the /etc/carbon/carbon.conf file. Replace /var/ with the new path.
like:
STORAGE_DIR    = /usr/lib/carbon/
LOCAL_DATA_DIR = /usr/lib/carbon/whisper/
WHITELISTS_DIR = /usr/lib/carbon/lists/

4. Adjust SELinux parameters to accept our new change
ex:-
semanage fcontext -a -t carbon_var_lib_t "/usr/lib/carbon(/.*)?"
restorecon -Rv /usr/lib/carbon

5. Starting the carbon-cache service
ex:- service carbon-cache start

6. Verify and check the connectivity.

Comment 3 Timothy Asir 2016-08-03 07:20:15 UTC

/usr/lib/carbon is not a good place for data. Either we can keep it in some other path or we can resolve this by:
semanage fcontext -a -t carbon_var_lib_t "/var/lib/carbon(/.*)?

Comment 4 Timothy Asir 2016-08-03 07:24:09 UTC

@"Lukas Vrabec" <lvrabec> : Could you please add your views or suggestion

Note You need to log in before you can comment on or make changes to this bug.