2142745 – ctdb is not starting correctly with selinux in enforcing mode

Bug 2142745 - ctdb is not starting correctly with selinux in enforcing mode [NEEDINFO]

Summary: ctdb is not starting correctly with selinux in enforcing mode

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Knazekova
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-15 07:09 UTC by michal novacek
Modified:	2023-07-28 11:24 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-07-28 11:21:35 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pfilipen: needinfo? (mnovacek) nknazeko: needinfo? (mnovacek)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-139357	0	None	None	None	2022-11-15 07:30:02 UTC

Description michal novacek 2022-11-15 07:09:55 UTC

Description of problem:
ctdb daemon does not run correctly when selinux is enforcing.

Version-Release number of selected component (if applicable):
RHEL9.1

How reproducible:


Steps to Reproduce:
1. set selinux to permissive
2. watch ctdb and samba start correctly
3. set selinux to enforcing
4. watch ctdb not starting 

Actual results: ctdb not starting

Expected results: ctdb starting 

Additional info:

[root@virt-531 ~]# ausearch -m AVC
----
time->Tue Nov 15 07:52:34 2022
type=PROCTITLE msg=audit(1668495154.958:3630): proctitle=2F7573722F6C6962657865632F637464622F637464625F6D757465785F66636E746C5F68656C706572002F6D6E742F676673322D637464622F637464622F637464622E6C6F636B
type=SYSCALL msg=audit(1668495154.958:3630): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffebe8a8843 a2=42 a3=180 items=0 ppid=98651 pid=98669 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdb_mutex_fcnt" exe="/usr/libexec/ctdb/ctdb_mutex_fcntl_helper" subj=system_u:system_r:ctdbd_t:s0 key=(null)
type=AVC msg=audit(1668495154.958:3630): avc:  denied  { search } for  pid=98669 comm="ctdb_mutex_fcnt" name="/" dev="dm-2" ino=4656 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

Comment 1 Pavel Filipensky 2022-12-13 14:19:07 UTC

Hi colleagues,

can you please check this issue? It seems there is missing permission for pid=98669 comm="ctdb_mutex_fcnt" to access "/".

Thank you,
Pavel

Comment 2 Milos Malik 2022-12-13 14:44:14 UTC

If you still have the machine where the SELinux denial appeared, please find the mislabeled directory:

# find / -inum 4656

If you don't have the machine, please try to reproduce the problem again and let us know.

There should be no files/directories with SELinux label unlabeled_t.

Comment 3 Milos Malik 2022-12-13 14:52:48 UTC

When the hexadecimal data are converted to human-readable form:

type=PROCTITLE msg=audit(11/15/2022 07:52:34.958:3630) : proctitle=/usr/libexec/ctdb/ctdb_mutex_fcntl_helper /mnt/gfs2-ctdb/ctdb/ctdb.lock 

Was the gfs2 volume properly mounted and labeled?

Comment 4 Pavel Filipensky 2022-12-13 15:07:17 UTC

forwarding the questions to Michal

Note You need to log in before you can comment on or make changes to this bug.