Red Hat Bugzilla – Bug 1479759
pcs resource create ocf:heartbeat:slapd causes avc: denied { block_suspend }
Last modified: 2018-04-10 08:37:48 EDT
Description of problem: Attempt to create slapd resource in cluster causes avc: denied { block_suspend }. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-166.el7.noarch openldap-servers-2.4.44-5.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. pcs resource create p_slapd ocf:heartbeat:slapd 2. ausearch -m AVC Actual results: time->Wed Aug 9 12:25:30 2017 type=PROCTITLE msg=audit(1502274330.788:3379): proctitle=2F7573722F7362696E2F736C617064002D68006C6461703A2F2F2F002D7500726F6F74002D6700726F6F74002D46002F6574632F6F70656E6C6461702F736C6170642E64 type=SYSCALL msg=audit(1502274330.788:3379): arch=c000003e syscall=233 success=yes exit=0 a0=6 a1=2 a2=a a3=5582afa41334 items=0 ppid=1 pid=3927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slapd" exe="/usr/sbin/slapd" subj=system_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1502274330.788:3379): avc: denied { block_suspend } for pid=3927 comm="slapd" capability=36 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:system_r:slapd_t:s0 tclass=capability2 ---- time->Wed Aug 9 12:25:35 2017 type=PROCTITLE msg=audit(1502274335.267:3380): proctitle=2F7573722F7362696E2F736C617064002D68006C6461703A2F2F2F002D7500726F6F74002D6700726F6F74002D46002F6574632F6F70656E6C6461702F736C6170642E64 type=SYSCALL msg=audit(1502274335.267:3380): arch=c000003e syscall=233 success=yes exit=0 a0=6 a1=2 a2=a a3=5582afa41334 items=0 ppid=1 pid=3927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slapd" exe="/usr/sbin/slapd" subj=system_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1502274335.267:3380): avc: denied { block_suspend } for pid=3927 comm="slapd" capability=36 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:system_r:slapd_t:s0 tclass=capability2 Expected results: No denials Additional info: This error is related only to slapd resource in cluster. Attempt to start slapd service without cluster doesn't cause denial error. After fix is available, we can perform its testing in cluster.
We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug.
(In reply to Lukas Vrabec from comment #2) > We're going to close this bug as WONTFIX because > > * of limited capacity of selinux-policy developers hm... > * the bug is related to EPEL component or 3rd party SW only what EPEL component are you refering to? > * the bug appears in unsupported configuration how is that configuration unsupported? > If you disagree, please re-open the bug. I disagree, hence reopening the bug. The configuration is standard clustered configuration of slapd daemon. Cluster components (pcs, pacemaker and others) are part of High Availability addon (hence part of RHEL). Configuration is done via standard resource agents so perfectly valid as far as I can tell. We do support selinux on all cluster resources to my knowledge. If that has changed in any way, please point me to relevant discussion where this has been decided. Thank you, -- Jaroslav.
Please disregard comment#2 and comment#3. Wrong keyword was used in the Devel whiteboard -> mass BZ switch got a wrong list of BZs.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763