RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1724266 - selinux-policy for sbd needs to be updated because of changes in pacemaker
Summary: selinux-policy for sbd needs to be updated because of changes in pacemaker
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.7
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1723498 1733905
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-26 15:34 UTC by Miroslav Lisik
Modified: 2019-07-29 07:35 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-01 19:36:11 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Miroslav Lisik 2019-06-26 15:34:49 UTC
Description of problem:
Recent security fixes for pacemaker introduces changes in library functions
which leads to avc denials for sbd. Sbd does not work properly in se-linux enforcing mode.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-251.el7.noarch
selinux-policy-devel-3.13.1-251.el7.noarch
selinux-policy-3.13.1-251.el7.noarch


How reproducible:
always


Steps to Reproduce:

1. Setup a 3-node cluster with sbd watchdog-only fencing (watchdog device is needed on cluster nodes):

On all nodes for cluster:

[root@tardis-01 ~]# yum -y -q install pcs sbd
[root@tardis-01 ~]# echo password | passwd hacluster --stdin
Changing password for user hacluster.
passwd: all authentication tokens updated successfully.
[root@tardis-01 ~]# systemctl enable pcsd
[root@tardis-01 ~]# systemctl start pcsd

On one node:

[root@tardis-01 ~]# pcs cluster auth -u hacluster -p password tardis-0{1..3}
...
[root@tardis-01 ~]# pcs cluster setup --name HACluster tardis-0{1..3}
...
[root@tardis-01 ~]# pcs stonith sbd enable
...

2. Gather AVCs by starting and stopping cluster:

[root@tardis-01 ~]# > /var/log/audit/audit.log
[root@tardis-01 ~]# pcs cluster start --all --wait && sleep 10 && pcs cluster stop --all
...

Actual results:

ENFORCING MODE:

A lot of these:

[root@tardis-01 ~]# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent
<snip>
----
type=PROCTITLE msg=audit(06/26/2019 16:58:30.364:4704) : proctitle=sbd: watcher: Pacemaker 
type=SYSCALL msg=audit(06/26/2019 16:58:30.364:4704) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) 
type=AVC msg=audit(06/26/2019 16:58:30.364:4704) : avc:  denied  { read } for  pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(06/26/2019 16:58:31.369:4705) : proctitle=sbd: watcher: Pacemaker 
type=SYSCALL msg=audit(06/26/2019 16:58:31.369:4705) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) 
type=AVC msg=audit(06/26/2019 16:58:31.369:4705) : avc:  denied  { read } for  pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(06/26/2019 16:58:32.376:4706) : proctitle=sbd: watcher: Pacemaker 
type=SYSCALL msg=audit(06/26/2019 16:58:32.376:4706) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) 
type=AVC msg=audit(06/26/2019 16:58:32.376:4706) : avc:  denied  { read } for  pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(06/26/2019 16:58:33.382:4707) : proctitle=sbd: watcher: Pacemaker 
type=SYSCALL msg=audit(06/26/2019 16:58:33.382:4707) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) 
type=AVC msg=audit(06/26/2019 16:58:33.382:4707) : avc:  denied  { read } for  pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0


PERMISSIVE MODE:

[root@tardis-01 ~]# setenforce 0
[root@tardis-01 ~]# semodule -DB
[root@tardis-01 ~]# > /var/log/audit/audit.log
[root@tardis-01 ~]# pcs cluster start --all --wait && sleep 10 && pcs cluster stop --all
...
[root@tardis-01 ~]# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent
----
type=PROCTITLE msg=audit(06/26/2019 17:00:54.748:4725) : proctitle=sbd: watcher: Pacemaker 
type=SYSCALL msg=audit(06/26/2019 17:00:54.748:4725) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7fd90efc8552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=17145 pid=17147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) 
type=AVC msg=audit(06/26/2019 17:00:54.748:4725) : avc:  denied  { open } for  pid=17147 comm=sbd path=/etc/passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/26/2019 17:00:54.748:4725) : avc:  denied  { read } for  pid=17147 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/26/2019 17:00:54.748:4726) : proctitle=sbd: watcher: Pacemaker 
type=SYSCALL msg=audit(06/26/2019 17:00:54.748:4726) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x6 a1=0x7ffc61713490 a2=0x7ffc61713490 a3=0x0 items=0 ppid=17145 pid=17147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) 
type=AVC msg=audit(06/26/2019 17:00:54.748:4726) : avc:  denied  { getattr } for  pid=17147 comm=sbd path=/etc/passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/26/2019 17:01:17.242:4734) : proctitle=/sbin/dhclient -d -q -sf /usr/libexec/nm-dhcp-helper -pf /var/run/dhclient-enp4s0f1.pid -lf /var/lib/NetworkManager/dhclient-aec 
type=SYSCALL msg=audit(06/26/2019 17:01:17.242:4734) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55731780cbc2 a1=0x5573178ce3d0 a2=0x557317803d70 a3=0x7ffea756fa20 items=0 ppid=1540 pid=17328 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhclient exe=/usr/sbin/dhclient subj=system_u:system_r:dhcpc_t:s0 key=(null) 
type=AVC msg=audit(06/26/2019 17:01:17.242:4734) : avc:  denied  { noatsecure } for  pid=17328 comm=dhclient scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 
type=AVC msg=audit(06/26/2019 17:01:17.242:4734) : avc:  denied  { siginh } for  pid=17328 comm=dhclient scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 
type=AVC msg=audit(06/26/2019 17:01:17.242:4734) : avc:  denied  { rlimitinh } for  pid=17328 comm=dhclient scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 
----
type=PROCTITLE msg=audit(06/26/2019 17:01:32.274:4735) : proctitle=sbd: watcher: Pacemaker 
type=SYSCALL msg=audit(06/26/2019 17:01:32.274:4735) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x431b a1=SIG0 a2=0x105563c5 a3=0x7ffc617131e0 items=0 ppid=17145 pid=17147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) 
type=AVC msg=audit(06/26/2019 17:01:32.274:4735) : avc:  denied  { signull } for  pid=17147 comm=sbd scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=process permissive=1


Expected results:

No AVC denials for sbd

Additional info:

Sbd does not take any action after quorum loss/network-split.
pacemaker z-stream version: pacemaker-1.1.19-8.el7_6.5


Note You need to log in before you can comment on or make changes to this bug.