Bug 224190 - openais is requestiong bogus access in SELinux
Summary: openais is requestiong bogus access in SELinux
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openais
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Steven Dake
QA Contact:
URL:
Whiteboard: bzcl34nup
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-24 15:52 UTC by Daniel Walsh
Modified: 2016-04-26 19:40 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-05-07 01:06:19 UTC


Attachments (Terms of Use)
openais (aisexec) core file (1.46 MB, application/octet-stream)
2007-01-26 15:40 UTC, Len DiMaggio
no flags Details

Description Daniel Walsh 2007-01-24 15:52:13 UTC
Description of problem:
openais is generating two broken symptoms in SELinux.

An avc message is being generated indicating that openais wants to write to
either the /usr/sbin or /sbin directory.

An avc messages is being generated indicating that openais needs r/w permission
on a file labeled file_t.  This indicates that the file is not labeled.  I
believe this avc is related to /var/lib/openais/ files.  And may indicate a
kernel problem.

Both of these problems are causing bogus rules to be added to selinux policy to
prevent avc messages.

Comment 1 Daniel Walsh 2007-01-24 15:53:54 UTC
type=AVC msg=audit(1169585959.102:12): avc:  denied  { write } for  pid=2307
comm="aisexec" name="ringid_10.15.89.174" dev=dm-0 ino=2284808
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file

type=AVC msg=audit(1169585021.617:10): avc:  denied  { write } for  pid=2352
comm="aisexec" name="sbin" dev=dm-0 ino=1305602
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir

Comment 2 Steven Dake 2007-01-24 20:50:48 UTC
After speaking with Dan about this problem, it could be a problem with the
parent process that doesn't close all of its open file descriptors before
forking and execing.  This could potentially be a problem with cman_tool which
should be investigated.

Dan suggested adding the following fcntl's for the files that are left open.

*dwalsh* Make that  fcntl(fd, F_SETFL, FD_CLOEXEC);
*dwalsh* Before you exec


Comment 3 Daniel Walsh 2007-01-26 15:12:14 UTC
Seems the writing to /sbin is caused by the application attempting to dump core.
 So I think openais is crashing and SELinux will not allow it to drop core.

Comment 4 Len DiMaggio 2007-01-26 15:37:34 UTC
From the resulting core file (attached to this bz):

 gdb aisexec core.2236
GNU gdb Red Hat Linux (6.5-16.el5rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".


warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libc.so.6...
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /usr/libexec/lcrso/objdb.lcrso...
(no debugging symbols found)...done.
Loaded symbols for /usr/libexec/lcrso/objdb.lcrso
Reading symbols from /usr/libexec/lcrso/service_cman.lcrso...(no debugging
symbols found)...done.
Loaded symbols for /usr/libexec/lcrso/service_cman.lcrso
Reading symbols from /lib/libnss_files.so.2...
(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_dns.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libresolv.so.2...
(no debugging symbols found)...done.
Loaded symbols for /lib/libresolv.so.2
(no debugging symbols found)
Core was generated by `aisexec'.
Program terminated with signal 11, Segmentation fault.
#0  0x004d8353 in strlen () from /lib/libc.so.6


Comment 5 Len DiMaggio 2007-01-26 15:40:58 UTC
Created attachment 146684 [details]
openais (aisexec) core file

Comment 6 Steven Dake 2007-01-26 17:53:12 UTC
core caused by cman/selinux interaction in some way:

Core was generated by `aisexec'.
Program terminated with signal 11, Segmentation fault.
#0  0x004d8353 in strlen () from /lib/libc.so.6
(gdb) where
#0  0x004d8353 in strlen () from /lib/libc.so.6
#1  0x00e5067c in ais_add_ifaddr () from /usr/libexec/lcrso/service_cman.lcrso
#2  0x00e55101 in process_barrier_msg ()
   from /usr/libexec/lcrso/service_cman.lcrso
#3  0x00e55e82 in read_ccs_config () from /usr/libexec/lcrso/service_cman.lcrso
#4  0x00e50c09 in ais_add_ifaddr () from /usr/libexec/lcrso/service_cman.lcrso
#5  0x08061194 in main () at main.c:458
(gdb)


Possible blocker since segfault occurs when se linux configured enforcing.

Comment 7 Steven Dake 2007-01-26 18:57:06 UTC
Attempted to duplicate on the smoke cluster.  Could not duplicate by setting
enforcing/targeted mode.  Must be some other environmental condition in the
system that is being tested.  Need access to hardware/platform that is causing
the problem.  More information needed about how openais is started.  From some
conversations it appears cman is not started via the service cman start script
but started in some other way.

Comment 8 Len DiMaggio 2007-01-26 19:01:51 UTC
Attempted to recreate on the tng3 cluster (lab.msp.redhat.com) - I was able to
cause the core dump by creating a new cluster via Conga on Jab 15, but not today.



Comment 9 Steven Dake 2007-06-26 18:51:56 UTC
Fix in openais 0.80.3 which is in the 5.1 RC tree.

Comment 10 Bug Zapper 2008-04-03 18:57:09 UTC
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

Comment 11 Bug Zapper 2008-05-07 01:06:17 UTC
This bug has been in NEEDINFO for more than 30 days since feedback was
first requested. As a result we are closing it.

If you can reproduce this bug in the future against a maintained Fedora
version please feel free to reopen it against that version.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp


Note You need to log in before you can comment on or make changes to this bug.