Bug 1472171 - SELinux doesn't allow CTDB to set system resource limits
SELinux doesn't allow CTDB to set system resource limits
Status: NEW
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: ctdb (Show other bugs)
3.3
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Michael Adam
surabhi
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-18 04:27 EDT by Anoop C S
Modified: 2017-07-26 04:02 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anoop C S 2017-07-18 04:27:52 EDT
Description of problem:
By default CTDB provides the standard way for defining a configuration parameter named CTDB_MAX_OPEN_FILES[see man ctdbd.conf(5)] which when set to a particular value will re-configure the resource limit for maximum number of open files. But in an environment where SELinux is set to 'Enforcing' following dAVC enials are seen in audit logs and thereby fails to change the corresponding limits:

type=AVC msg=audit(1500360590.186:345): avc:  denied  { sys_resource } for  pid=6031 comm="ctdbd_wrapper" capability=24  scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1500360590.186:345): arch=c000003e syscall=160 success=no exit=-1 a0=7 a1=7fff4bd7c780 a2=2 a3=7f8781c0dee0 items=0 ppid=1 pid=6031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdbd_wrapper" exe="/usr/bin/bash" subj=system_u:system_r:ctdbd_t:s0 key=(null)

type=AVC msg=audit(1500363357.648:1214): avc:  denied  { sys_resource } for  pid=28137 comm="ctdbd_wrapper" capability=24  scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctd
bd_t:s0 tclass=capability
type=AVC msg=audit(1500363357.648:1214): avc:  denied  { setrlimit } for  pid=28137 comm="ctdbd_wrapper" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=process
type=SYSCALL msg=audit(1500363357.648:1214): arch=c000003e syscall=160 success=yes exit=0 a0=7 a1=7fffd21a2c10 a2=2 a3=7f8ef21d7ee0 items=0 ppid=1 pid=28137 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdbd_wrapper" exe="/usr/bin/bash" subj=system_u:system_r:ctdbd_t:s0 key=(null)


Version-Release number of selected component (if applicable):
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 Beta (Maipo)
# cat /etc/redhat-storage-release 
Red Hat Gluster Storage Server 3.3.0
# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
selinux-policy-3.13.1-102.el7_3.16.noarch
# rpm -qa | grep ctdb
ctdb-tests-4.6.3-3.el7rhgs.x86_64
ctdb-4.6.3-3.el7rhgs.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Have a RHGS Samba-CTDB setup.
2. Make sure that SELinux is set to 'Enforcing'.
# getenforce
Enforcing
3. Add the following to /etc/sysconfig/ctdb.
CTDB_MAX_OPEN_FILES=16384
4. Start/Re-start ctdb service.
5. Check the resource limit.
# cat /proc/`pgrep ctdbd`/limits | grep "open files"
Max open files            1024                 4096                 files
6. Check audit logs for AVC on sys_resource
7. Change SELinux mode from 'Enforcing' to 'Permissive'.
#setenforce 0
8. Restart ctdb service.
9. Check resource limit.
# cat /proc/`pgrep ctdbd`/limits | grep "open files"
Max open files            16384                16384                files
10. Check for AVCs in audit logs.

Actual results:
AVC denials are seen and resource limits are not changed in 'Enforcing' mode.

Expected results:
No AVCs must be present in audit logs and resource limits should be changed.

Additional info:
# sesearch --allow | grep "allow ctdbd_t ctdbd_t : capability "
   allow ctdbd_t ctdbd_t : capability { chown net_bind_service net_admin net_raw ipc_lock sys_nice } ; 
# sesearch --allow | grep "allow ctdbd_t ctdbd_t : process "
   allow ctdbd_t ctdbd_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap } ;

Note You need to log in before you can comment on or make changes to this bug.