1514121 – SELinux: apache can't bind port 10080

Bug 1514121 - SELinux: apache can't bind port 10080

Summary: SELinux: apache can't bind port 10080

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	web-admin-tendrl-selinux
Sub Component:
Version:	rhgs-3.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Nishanth Thomas
QA Contact:	Martin Bukatovic
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1514098
TreeView+	depends on / blocked

Reported:	2017-11-16 16:55 UTC by Martin Bukatovic
Modified:	2017-12-18 04:37 UTC (History)
CC List:	6 users (show)
Fixed In Version:	tendrl-selinux-1.5.4-1.el7rhgs.noarch
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-18 04:37:04 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	Tendrl tendrl-selinux issues 1	0	None	None	None	2017-11-16 16:55:12 UTC
Red Hat Product Errata	RHEA-2017:3478	0	normal	SHIPPED_LIVE	RHGS Web Administration packages	2017-12-18 09:34:49 UTC

Description Martin Bukatovic 2017-11-16 16:55:12 UTC

Description of problem
======================

There is avc denial for apache trying to bind port 10080 (aka amanda port)
on Tendrl Server machine (the machine where RHGS WA is running).

Version-Release
===============

# rpm -qa | grep selinux | sort
carbon-selinux-1.5.3-2.el7rhgs.noarch
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.5.noarch
selinux-policy-targeted-3.13.1-166.el7_4.5.noarch
tendrl-grafana-selinux-1.5.3-2.el7rhgs.noarch
tendrl-selinux-1.5.3-2.el7rhgs.noarch

How reproducible
================

100 %

Steps to Reproduce
==================

1. Prepare machines with GlusterFS cluster, including some volume.
2. Install RHGS WA via tendrl-ansible there
   (this means that we are going to run in permissive mode system wide)
3. Log into the server machine, and check for avc error messages via:
   ausearch -m avc

Actual results
==============

In audit logs, there is the following SELinux denial:

```
# ausearch -m avc
----
time->Wed Nov 15 12:14:17 2017
type=PROCTITLE msg=audit(1510766057.727:3657): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1510766057.727:3657): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=55825d6d83a8 a2=1c a3=7ffedd5fa00c items=0 ppid=1 pid=19190 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1510766057.727:3657): avc:  denied  { name_bind } for  pid=19190 comm="httpd" src=10080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:amanda_port_t:s0 tclass=tcp_socket
```

This means that SELinux would prevent apache from listening on port 10080
(aka amanda port).

Expected results
================

There is no avc SELinux denial in audit logs.

Additional info
===============

See the upstream issue for more details:

https://github.com/Tendrl/tendrl-selinux/issues/1

Comment 2 Martin Bukatovic 2017-11-16 16:56:28 UTC

Updating Version/Release section:

# rpm -qa | grep tendrl | sort 
tendrl-ansible-1.5.4-1.el7rhgs.noarch
tendrl-api-1.5.4-2.el7rhgs.noarch
tendrl-api-httpd-1.5.4-2.el7rhgs.noarch
tendrl-commons-1.5.4-2.el7rhgs.noarch
tendrl-grafana-plugins-1.5.4-3.el7rhgs.noarch
tendrl-grafana-selinux-1.5.3-2.el7rhgs.noarch
tendrl-monitoring-integration-1.5.4-3.el7rhgs.noarch
tendrl-node-agent-1.5.4-2.el7rhgs.noarch
tendrl-notifier-1.5.4-2.el7rhgs.noarch
tendrl-selinux-1.5.3-2.el7rhgs.noarch
tendrl-ui-1.5.4-2.el7rhgs.noarch

Comment 3 Martin Bukatovic 2017-11-20 08:42:35 UTC

Moving this BZ into SELinux component.

Comment 5 Martin Bukatovic 2017-12-05 09:49:49 UTC

Status update: there are many avc denials on both server and storage machines.

I need to investigate deeper and see which ones are actually a problem for us
(some of those, eg. from permissive domains, are expected).

Checking with tendrl-selinux-1.5.4-1.el7rhgs.noarch

[root@mbukatov-usm1-server ~] # ausearch -m avc | grep ^time | wc -l
799

[root@mbukatov-usm1-gl1 ~]# ausearch -m avc | grep ^time | wc -l
756

Comment 6 Martin Bukatovic 2017-12-05 09:52:22 UTC

(In reply to Martin Bukatovic from comment #5)
> Status update: there are many avc denials on both server and storage
> machines.
> 
> I need to investigate deeper and see which ones are actually a problem for us
> (some of those, eg. from permissive domains, are expected).
> 
> Checking with tendrl-selinux-1.5.4-1.el7rhgs.noarch
> 
> [root@mbukatov-usm1-server ~] # ausearch -m avc | grep ^time | wc -l
> 799
> 
> [root@mbukatov-usm1-gl1 ~]# ausearch -m avc | grep ^time | wc -l
> 756

Ignore this comment, that should have been posted into tracker BZ instead.

Comment 7 Martin Bukatovic 2017-12-05 10:01:11 UTC

Checking with: tendrl-selinux-1.5.4-1.el7rhgs.noarch

```
# rpm -qa | grep selinux | sort
carbon-selinux-1.5.4-1.el7rhgs.noarch
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.7.noarch
selinux-policy-targeted-3.13.1-166.el7_4.7.noarch
tendrl-grafana-selinux-1.5.4-1.el7rhgs.noarch
tendrl-selinux-1.5.4-1.el7rhgs.noarch
```

On RHGS WA server machine, there is no problem for apache to bind port 10080.

```
# ausearch -m avc | grep 'denied  { name_bind } for'
type=AVC msg=audit(1512465255.780:2961): avc:  denied  { name_bind } for  pid=14794 comm="puma" src=9292 scontext=system_u:system_r:tendrl_t:s0 tcontext=system_u:object_r:glance_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1512465450.079:4104): avc:  denied  { name_bind } for  pid=17214 comm="tendrl-monitori" src=8789 scontext=system_u:system_r:tendrl_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1512465463.058:4522): avc:  denied  { name_bind } for  pid=17816 comm="puma" src=9292 scontext=system_u:system_r:tendrl_t:s0 tcontext=system_u:object_r:glance_port_t:s0 tclass=tcp_socket
# lsof -i -nP | grep 10080
grafana-s 18069    grafana    4u  IPv4 170132      0t0  TCP 10.37.169.90:51460->10.37.169.90:10080 (ESTABLISHED)
httpd     31946       root    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31947     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31948     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31949     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31950     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31951     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31978     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31982     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
httpd     31983     apache    6u  IPv6 163029      0t0  TCP *:10080 (LISTEN)
```

I have installed RHGS WA and imported the cluster without any problems.

Comment 9 errata-xmlrpc 2017-12-18 04:37:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3478

Note You need to log in before you can comment on or make changes to this bug.