Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem: Recent security fixes for pacemaker introduces changes in library functions which leads to avc denials for sbd. Sbd does not work properly in se-linux enforcing mode. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-251.el7.noarch selinux-policy-devel-3.13.1-251.el7.noarch selinux-policy-3.13.1-251.el7.noarch How reproducible: always Steps to Reproduce: 1. Setup a 3-node cluster with sbd watchdog-only fencing (watchdog device is needed on cluster nodes): On all nodes for cluster: [root@tardis-01 ~]# yum -y -q install pcs sbd [root@tardis-01 ~]# echo password | passwd hacluster --stdin Changing password for user hacluster. passwd: all authentication tokens updated successfully. [root@tardis-01 ~]# systemctl enable pcsd [root@tardis-01 ~]# systemctl start pcsd On one node: [root@tardis-01 ~]# pcs cluster auth -u hacluster -p password tardis-0{1..3} ... [root@tardis-01 ~]# pcs cluster setup --name HACluster tardis-0{1..3} ... [root@tardis-01 ~]# pcs stonith sbd enable ... 2. Gather AVCs by starting and stopping cluster: [root@tardis-01 ~]# > /var/log/audit/audit.log [root@tardis-01 ~]# pcs cluster start --all --wait && sleep 10 && pcs cluster stop --all ... Actual results: ENFORCING MODE: A lot of these: [root@tardis-01 ~]# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent <snip> ---- type=PROCTITLE msg=audit(06/26/2019 16:58:30.364:4704) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 16:58:30.364:4704) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 16:58:30.364:4704) : avc: denied { read } for pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(06/26/2019 16:58:31.369:4705) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 16:58:31.369:4705) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 16:58:31.369:4705) : avc: denied { read } for pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(06/26/2019 16:58:32.376:4706) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 16:58:32.376:4706) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 16:58:32.376:4706) : avc: denied { read } for pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(06/26/2019 16:58:33.382:4707) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 16:58:33.382:4707) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f9c81630552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=16840 pid=16843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 16:58:33.382:4707) : avc: denied { read } for pid=16843 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 PERMISSIVE MODE: [root@tardis-01 ~]# setenforce 0 [root@tardis-01 ~]# semodule -DB [root@tardis-01 ~]# > /var/log/audit/audit.log [root@tardis-01 ~]# pcs cluster start --all --wait && sleep 10 && pcs cluster stop --all ... [root@tardis-01 ~]# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent ---- type=PROCTITLE msg=audit(06/26/2019 17:00:54.748:4725) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 17:00:54.748:4725) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7fd90efc8552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=17145 pid=17147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 17:00:54.748:4725) : avc: denied { open } for pid=17147 comm=sbd path=/etc/passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(06/26/2019 17:00:54.748:4725) : avc: denied { read } for pid=17147 comm=sbd name=passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(06/26/2019 17:00:54.748:4726) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 17:00:54.748:4726) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x6 a1=0x7ffc61713490 a2=0x7ffc61713490 a3=0x0 items=0 ppid=17145 pid=17147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 17:00:54.748:4726) : avc: denied { getattr } for pid=17147 comm=sbd path=/etc/passwd dev="dm-0" ino=68117403 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(06/26/2019 17:01:17.242:4734) : proctitle=/sbin/dhclient -d -q -sf /usr/libexec/nm-dhcp-helper -pf /var/run/dhclient-enp4s0f1.pid -lf /var/lib/NetworkManager/dhclient-aec type=SYSCALL msg=audit(06/26/2019 17:01:17.242:4734) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55731780cbc2 a1=0x5573178ce3d0 a2=0x557317803d70 a3=0x7ffea756fa20 items=0 ppid=1540 pid=17328 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhclient exe=/usr/sbin/dhclient subj=system_u:system_r:dhcpc_t:s0 key=(null) type=AVC msg=audit(06/26/2019 17:01:17.242:4734) : avc: denied { noatsecure } for pid=17328 comm=dhclient scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 type=AVC msg=audit(06/26/2019 17:01:17.242:4734) : avc: denied { siginh } for pid=17328 comm=dhclient scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 type=AVC msg=audit(06/26/2019 17:01:17.242:4734) : avc: denied { rlimitinh } for pid=17328 comm=dhclient scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process permissive=1 ---- type=PROCTITLE msg=audit(06/26/2019 17:01:32.274:4735) : proctitle=sbd: watcher: Pacemaker type=SYSCALL msg=audit(06/26/2019 17:01:32.274:4735) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x431b a1=SIG0 a2=0x105563c5 a3=0x7ffc617131e0 items=0 ppid=17145 pid=17147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(06/26/2019 17:01:32.274:4735) : avc: denied { signull } for pid=17147 comm=sbd scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=process permissive=1 Expected results: No AVC denials for sbd Additional info: Sbd does not take any action after quorum loss/network-split. pacemaker z-stream version: pacemaker-1.1.19-8.el7_6.5