Bug 2142745 - ctdb is not starting correctly with selinux in enforcing mode [NEEDINFO]
Summary: ctdb is not starting correctly with selinux in enforcing mode
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Nikola Knazekova
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-11-15 07:09 UTC by michal novacek
Modified: 2023-07-28 11:24 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-28 11:21:35 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pfilipen: needinfo? (mnovacek)
nknazeko: needinfo? (mnovacek)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-139357 0 None None None 2022-11-15 07:30:02 UTC

Description michal novacek 2022-11-15 07:09:55 UTC
Description of problem:
ctdb daemon does not run correctly when selinux is enforcing.

Version-Release number of selected component (if applicable):
RHEL9.1

How reproducible:


Steps to Reproduce:
1. set selinux to permissive
2. watch ctdb and samba start correctly
3. set selinux to enforcing
4. watch ctdb not starting 

Actual results: ctdb not starting

Expected results: ctdb starting 

Additional info:

[root@virt-531 ~]# ausearch -m AVC
----
time->Tue Nov 15 07:52:34 2022
type=PROCTITLE msg=audit(1668495154.958:3630): proctitle=2F7573722F6C6962657865632F637464622F637464625F6D757465785F66636E746C5F68656C706572002F6D6E742F676673322D637464622F637464622F637464622E6C6F636B
type=SYSCALL msg=audit(1668495154.958:3630): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffebe8a8843 a2=42 a3=180 items=0 ppid=98651 pid=98669 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdb_mutex_fcnt" exe="/usr/libexec/ctdb/ctdb_mutex_fcntl_helper" subj=system_u:system_r:ctdbd_t:s0 key=(null)
type=AVC msg=audit(1668495154.958:3630): avc:  denied  { search } for  pid=98669 comm="ctdb_mutex_fcnt" name="/" dev="dm-2" ino=4656 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

Comment 1 Pavel Filipensky 2022-12-13 14:19:07 UTC
Hi colleagues,

can you please check this issue? It seems there is missing permission for pid=98669 comm="ctdb_mutex_fcnt" to access "/".

Thank you,
Pavel

Comment 2 Milos Malik 2022-12-13 14:44:14 UTC
If you still have the machine where the SELinux denial appeared, please find the mislabeled directory:

# find / -inum 4656

If you don't have the machine, please try to reproduce the problem again and let us know.

There should be no files/directories with SELinux label unlabeled_t.

Comment 3 Milos Malik 2022-12-13 14:52:48 UTC
When the hexadecimal data are converted to human-readable form:

type=PROCTITLE msg=audit(11/15/2022 07:52:34.958:3630) : proctitle=/usr/libexec/ctdb/ctdb_mutex_fcntl_helper /mnt/gfs2-ctdb/ctdb/ctdb.lock 

Was the gfs2 volume properly mounted and labeled?

Comment 4 Pavel Filipensky 2022-12-13 15:07:17 UTC
forwarding the questions to Michal


Note You need to log in before you can comment on or make changes to this bug.