Description of problem: When running httpd as a script-type resource in the RHCS I get the following avc denial: avc: denied { read, write } for comm="httpd" dev=sockfs egid=0 euid=0 exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 path="socket:[1953890]" pid=23542 scontext=user_u:system_r:httpd_t:s0 sgid=0 subj=user_u:system_r:httpd_t:s0 suid=0 tclass=unix_stream_socket tcontext=user_u:system_r:initrc_t:s0-s0:c0.c1023 tty=(none) uid=0 The socket in question happens to be /var/run/cluster/rgmanager.sk Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-106.el5_1.3 httpd-2.2.3-11.el5_1.3 rgmanager-2.0.31-1.el5 How reproducible: Every time Steps to Reproduce: 1. Create a cluster service with a script-type resource that manages /etc/ini.d/httpd 2. start your service
Is the stdout/stderr of the exec command set to /var/run/cluster/rgmanager.sk? I believe this will just work, and the avc can be ignored. rgmanager is not currently a confined application so there is not an easy way to fix this.
No, it's seems like it's FD 13 and 14 whatever they might be that are pointing to /var/run/cluster/rgmanager.sk But if rgmanager isn't a confined app (yet), i.e. can't really be expected to work well with the targeted policy I think I will need to disable selinux for now, this was just the first one of the denials that I came upon.
No rgmanager.sk should not be leaking file descriptors. This is not an SELinux bug, this is a rgmanager.sk bug If you are going to exec another application you should close on exec all open file descritors. fcntl(fd, F_SETFD, FD_CLOEXEC) Not sure what package rgmanager.sk belongs to, but this bug should be reassigned there.
sorry, I didn't realise it was a leaked file descriptor. Reassigning and changing summary. Lon, if I understood this correctly, when httpd is ran a script-resource by rgmanager, a file descriptor is leaked from rgmanager to /var/run/cluster/rgmanager.sk causing a avc warning.
slippery fingers )-: Changing summary as promised.
Created attachment 295840 [details] Fix Not in CVS^Wgit yet.
Created attachment 295843 [details] Fixed patch; previous one uses wrong fcntl
This is in my git repository but has not been pushed to the central repository yet.
Well, there still seems to be a problem, even with the patch from comment 7. When starting rgmanager, everything works without any AVC messages but then I tried running clusvcadm -r <service> and the service failed to restart with the following AVC logged: avc: denied { read, write } for comm="httpd" dev=sockfs egid=0 euid=0 exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 path="socket:[20617]" pid=6091 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=unix_stream_socket tcontext=root:system_r:initrc_t:s0-s0:c0.c1023 tty=(none) uid=0 And again, the socket is /var/run/cluster/rgmanager.sk
I had a second patch which fixes it correctly; basically, I needed to set CLOEXEC after accept() as well.
http://sources.redhat.com/git/?p=cluster.git;a=blobdiff;f=rgmanager/src/clulib/msg_socket.c;h=c3927570209c566672e1bda9a4d0cb3257c177aa;hp=9e88ed7c5744b3a8d6027d2b5ed22ce720d88d49;hb=674aec455c8f4506c390532276d1392aa017f1b6;hpb=f49cfa0cdb5d5f3c739b361392f6c9a7e6ae6d53 Corrected patch ^^
Thanks, now it seems to work fine (-:
http://sources.redhat.com/git/?p=cluster.git;a=commit;h=fd57f9e4023cbeadecba15e7093213e507661de9
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0101.html