Bug 224190 - openais is requestiong bogus access in SELinux
openais is requestiong bogus access in SELinux
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: openais (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steven Dake
bzcl34nup
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-24 10:52 EST by Daniel Walsh
Modified: 2016-04-26 15:40 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 21:06:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
openais (aisexec) core file (1.46 MB, application/octet-stream)
2007-01-26 10:40 EST, Len DiMaggio
no flags Details

  None (edit)
Description Daniel Walsh 2007-01-24 10:52:13 EST
Description of problem:
openais is generating two broken symptoms in SELinux.

An avc message is being generated indicating that openais wants to write to
either the /usr/sbin or /sbin directory.

An avc messages is being generated indicating that openais needs r/w permission
on a file labeled file_t.  This indicates that the file is not labeled.  I
believe this avc is related to /var/lib/openais/ files.  And may indicate a
kernel problem.

Both of these problems are causing bogus rules to be added to selinux policy to
prevent avc messages.
Comment 1 Daniel Walsh 2007-01-24 10:53:54 EST
type=AVC msg=audit(1169585959.102:12): avc:  denied  { write } for  pid=2307
comm="aisexec" name="ringid_10.15.89.174" dev=dm-0 ino=2284808
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file

type=AVC msg=audit(1169585021.617:10): avc:  denied  { write } for  pid=2352
comm="aisexec" name="sbin" dev=dm-0 ino=1305602
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
Comment 2 Steven Dake 2007-01-24 15:50:48 EST
After speaking with Dan about this problem, it could be a problem with the
parent process that doesn't close all of its open file descriptors before
forking and execing.  This could potentially be a problem with cman_tool which
should be investigated.

Dan suggested adding the following fcntl's for the files that are left open.

*dwalsh* Make that  fcntl(fd, F_SETFL, FD_CLOEXEC);
*dwalsh* Before you exec
Comment 3 Daniel Walsh 2007-01-26 10:12:14 EST
Seems the writing to /sbin is caused by the application attempting to dump core.
 So I think openais is crashing and SELinux will not allow it to drop core.
Comment 4 Len DiMaggio 2007-01-26 10:37:34 EST
From the resulting core file (attached to this bz):

 gdb aisexec core.2236
GNU gdb Red Hat Linux (6.5-16.el5rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".


warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libc.so.6...
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /usr/libexec/lcrso/objdb.lcrso...
(no debugging symbols found)...done.
Loaded symbols for /usr/libexec/lcrso/objdb.lcrso
Reading symbols from /usr/libexec/lcrso/service_cman.lcrso...(no debugging
symbols found)...done.
Loaded symbols for /usr/libexec/lcrso/service_cman.lcrso
Reading symbols from /lib/libnss_files.so.2...
(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_dns.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libresolv.so.2...
(no debugging symbols found)...done.
Loaded symbols for /lib/libresolv.so.2
(no debugging symbols found)
Core was generated by `aisexec'.
Program terminated with signal 11, Segmentation fault.
#0  0x004d8353 in strlen () from /lib/libc.so.6
Comment 5 Len DiMaggio 2007-01-26 10:40:58 EST
Created attachment 146684 [details]
openais (aisexec) core file
Comment 6 Steven Dake 2007-01-26 12:53:12 EST
core caused by cman/selinux interaction in some way:

Core was generated by `aisexec'.
Program terminated with signal 11, Segmentation fault.
#0  0x004d8353 in strlen () from /lib/libc.so.6
(gdb) where
#0  0x004d8353 in strlen () from /lib/libc.so.6
#1  0x00e5067c in ais_add_ifaddr () from /usr/libexec/lcrso/service_cman.lcrso
#2  0x00e55101 in process_barrier_msg ()
   from /usr/libexec/lcrso/service_cman.lcrso
#3  0x00e55e82 in read_ccs_config () from /usr/libexec/lcrso/service_cman.lcrso
#4  0x00e50c09 in ais_add_ifaddr () from /usr/libexec/lcrso/service_cman.lcrso
#5  0x08061194 in main () at main.c:458
(gdb)


Possible blocker since segfault occurs when se linux configured enforcing.
Comment 7 Steven Dake 2007-01-26 13:57:06 EST
Attempted to duplicate on the smoke cluster.  Could not duplicate by setting
enforcing/targeted mode.  Must be some other environmental condition in the
system that is being tested.  Need access to hardware/platform that is causing
the problem.  More information needed about how openais is started.  From some
conversations it appears cman is not started via the service cman start script
but started in some other way.
Comment 8 Len DiMaggio 2007-01-26 14:01:51 EST
Attempted to recreate on the tng3 cluster (lab.msp.redhat.com) - I was able to
cause the core dump by creating a new cluster via Conga on Jab 15, but not today.

Comment 9 Steven Dake 2007-06-26 14:51:56 EDT
Fix in openais 0.80.3 which is in the 5.1 RC tree.
Comment 10 Bug Zapper 2008-04-03 14:57:09 EDT
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 11 Bug Zapper 2008-05-06 21:06:17 EDT
This bug has been in NEEDINFO for more than 30 days since feedback was
first requested. As a result we are closing it.

If you can reproduce this bug in the future against a maintained Fedora
version please feel free to reopen it against that version.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

Note You need to log in before you can comment on or make changes to this bug.