Created attachment 375381 [details] reproducer Description of problem: Openais SELinux policy does not allow openais/aisexec to clean-up shared memory and shared semaphores which leads to shared memory leak. The SELinux AVC messages are dumped around the time of qpidd shutdown. type=AVC msg=audit(1259669696.045:48733): avc: denied { destroy } for pid=9419 comm="aisexec" key=202628669 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm type=AVC msg=audit(1259669696.046:48734): avc: denied { destroy } for pid=9419 comm="aisexec" key=1586332284 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem The SELinux AVC messages highlights that qpidd stopped as the service initiates aisexec to clean-up shared memory elements: [root@mrg-qe-02 ~]# echo $? ; procdump ; sedump 0 -rw------- 1 root root 2684 Dec 1 07:14 /var/log/audit/audit.log type=AVC msg=audit(1259669696.045:48733): avc: denied { destroy } for pid=9419 comm="aisexec" key=202628669 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm type=AVC msg=audit(1259669696.046:48734): avc: denied { destroy } for pid=9419 comm="aisexec" key=1586332284 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x0c13de3d 14974976 qpidd 600 3000008 0 ------ Semaphore Arrays -------- key semid owner perms nsems 0x5e8d827c 14909440 qpidd 600 3 It seems aisexec tries to clean up but has no permissions for that and/or SELinux blocks it. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-255.el5_4.1 openais-0.80.6-8.el5_4.1 openais-0.80.6-8.el5_4.1 qpidd-0.5.752581-34.el5 qpidc-perftest-0.5.752581-34.el5 How reproducible: 100% Steps to Reproduce: 1. see attached reproducer Actual results: openais/aisexec is not able to clean-up shared memory elements which leand to shared memory leak. Expected results: No shared memory leak is expected. Additional info (reproducer run): The run including shared memory dump: [root@mrg-qe-02 ~]# # clean up shared memory/sem elements [root@mrg-qe-02 ~]# ipcs -s | egrep '(qpid|aise)' | awk '{if($2~/[0-9]+/){print "ipcrm -s "$2}}' | sh [root@mrg-qe-02 ~]# ipcs -m | egrep '(qpid|aise)' | awk '{if($2~/[0-9]+/){print "ipcrm -m "$2}}' | sh [root@mrg-qe-02 ~]# [root@mrg-qe-02 ~]# getenforce Enforcing [root@mrg-qe-02 ~]# iptables -L -v Chain INPUT (policy ACCEPT 38105 packets, 4765K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16649 packets, 2201K bytes) pkts bytes target prot opt in out source destination [root@mrg-qe-02 ~]# [root@mrg-qe-02 ~]# cat /etc/qpidd.conf # # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # # Configuration file for qpidd. Entries are of the form: # name=value # # (Note: no spaces on either side of '='). Using default settings: # "qpidd --help" or "man qpidd" for more details. cluster-mechanism=ANONYMOUS cluster-name=xxxy log-enable=trace+ [root@mrg-qe-02 ~]# cat /etc/ais/openais.conf # Please read the openais.conf.5 manual page totem { version: 2 secauth: off threads: 0 interface { ringnumber: 0 bindnetaddr: 10.34.32.0 mcastaddr: 226.94.1.1 mcastport: 5405 #mcastaddr: 226.94.11.12 #mcastport: 11112 } } logging { debug: on timestamp: on to_file: yes logfile: /tmp/openais.log } amf { mode: disabled } [root@mrg-qe-02 ~]# [root@mrg-qe-02 ~]# service openais status && service openais stop aisexec is stopped [root@mrg-qe-02 ~]# echo $? ; procdump ; sedump 3 -rw------- 1 root root 2695 Dec 1 07:52 /var/log/audit/audit.log type=AVC msg=audit(1259671923.476:48795): avc: denied { destroy } for pid=10366 comm="aisexec" key=1639281690 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm type=AVC msg=audit(1259671923.476:48796): avc: denied { destroy } for pid=10366 comm="aisexec" key=90134632 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status ------ Semaphore Arrays -------- key semid owner perms nsems [root@mrg-qe-02 ~]# :> /var/log/audit/audit.log [root@mrg-qe-02 ~]# [root@mrg-qe-02 ~]# [root@mrg-qe-02 ~]# service openais start Starting OpenAIS daemon (aisexec): [ OK ] [root@mrg-qe-02 ~]# echo $? ; procdump ; sedump 0 udp 0 0 10.34.33.55:5405 0.0.0.0:* 10536/aisexec udp 0 0 10.34.33.55:5149 0.0.0.0:* 10536/aisexec udp 0 0 226.94.1.1:5405 0.0.0.0:* 10536/aisexec root 10536 0.0 0.1 114480 15924 pts/1 SLl 07:52 0:00 /usr/sbin/aisexec -rw------- 1 root root 0 Dec 1 07:52 /var/log/audit/audit.log ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status ------ Semaphore Arrays -------- key semid owner perms nsems [root@mrg-qe-02 ~]# [root@mrg-qe-02 ~]# service qpidd start Starting Qpid AMQP daemon: 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/acl.so 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/xml.so 2009-dec-01 07:52:21 info SSL connector not enabled, you must set QPID_SSL_CERT_DB to enable it. 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/client/sslconnector.so 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/client/rdmaconnector.so 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/cluster.so 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/msgstore.so 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/rdma.so 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/ssl.so 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/replication_exchange.so 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/replicating_listener.so [ OK ] 2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/acl.so 2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/xml.so 2009-dec-01 07:52:22 info SSL connector not enabled, you must set QPID_SSL_CERT_DB to enable it. 2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/client/sslconnector.so 2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/client/rdmaconnector.so 2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/cluster.so 2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/msgstore.so 2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/rdma.so 2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/ssl.so 2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/replication_exchange.so 2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/replicating_listener.so [root@mrg-qe-02 ~]# echo $? ; procdump ; sedump 0 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 10582/qpidd udp 0 0 10.34.33.55:5405 0.0.0.0:* 10536/aisexec udp 0 0 10.34.33.55:5149 0.0.0.0:* 10536/aisexec udp 0 0 226.94.1.1:5405 0.0.0.0:* 10536/aisexec unix 2 [ ACC ] STREAM LISTENING 35707752 10536/aisexec @libais.socket root 10536 4.0 0.2 117608 19056 pts/1 SLl 07:52 0:00 /usr/sbin/aisexec qpidd 10582 3.0 0.0 312480 5312 ? Ssl 07:52 0:00 /usr/sbin/qpidd --daemon --pid-dir /var/run/qpidd --data-dir /var/lib/qpidd -rw------- 1 root root 1700 Dec 1 07:52 /var/log/audit/audit.log ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x7bda1322 15171584 qpidd 600 3000008 2 ------ Semaphore Arrays -------- key semid owner perms nsems 0x00b767bf 15106048 qpidd 600 3 [root@mrg-qe-02 ~]# [root@mrg-qe-02 ~]# service qpidd stop Stopping Qpid AMQP daemon: [ OK ] [root@mrg-qe-02 ~]# echo $? ; procdump ; sedump 1 0 udp 0 0 10.34.33.55:5405 0.0.0.0:* 10536/aisexec udp 0 0 10.34.33.55:5149 0.0.0.0:* 10536/aisexec udp 0 0 226.94.1.1:5405 0.0.0.0:* 10536/aisexec unix 2 [ ACC ] STREAM LISTENING 35707752 10536/aisexec @libais.socket root 10536 5.0 0.1 116780 16188 pts/1 SLl 07:52 0:00 /usr/sbin/aisexec -rw------- 1 root root 2695 Dec 1 07:52 /var/log/audit/audit.log type=AVC msg=audit(1259671942.556:48805): avc: denied { destroy } for pid=10536 comm="aisexec" key=2077889314 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm type=AVC msg=audit(1259671942.556:48806): avc: denied { destroy } for pid=10536 comm="aisexec" key=12019647 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem Dec 1 07:52:22 mrg-qe-02 setroubleshoot: SELinux is preventing aisexec (ccs_t) "destroy" to <Unknown> (initrc_t). For complete SELinux messages. run sealert -l 2c8df27f-f2a4-45f1-b5ba-1d6122cd5c95 Dec 1 07:52:22 mrg-qe-02 setroubleshoot: SELinux is preventing aisexec (ccs_t) "destroy" to <Unknown> (initrc_t). For complete SELinux messages. run sealert -l 789128c9-7882-4892-b753-6204a805e56b Summary: SELinux is preventing aisexec (ccs_t) "destroy" to <Unknown> (initrc_t). Detailed Description: SELinux denied access requested by aisexec. It is not expected that this access is required by aisexec and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:ccs_t Target Context root:system_r:initrc_t Target Objects None [ shm ] Source aisexec Source Path /usr/sbin/aisexec Port <Unknown> Host mrg-qe-02.lab.eng.brq.redhat.com Source RPM Packages openais-0.80.6-8.el5_4.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-255.el5_4.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name mrg-qe-02.lab.eng.brq.redhat.com Platform Linux mrg-qe-02.lab.eng.brq.redhat.com 2.6.18-164.6.1.el5 #1 SMP Tue Oct 27 11:28:30 EDT 2009 x86_64 x86_64 Alert Count 25 First Seen Fri Nov 27 07:29:20 2009 Last Seen Tue Dec 1 07:52:22 2009 Local ID 2c8df27f-f2a4-45f1-b5ba-1d6122cd5c95 Line Numbers Raw Audit Messages host=mrg-qe-02.lab.eng.brq.redhat.com type=AVC msg=audit(1259671942.556:48805): avc: denied { destroy } for pid=10536 comm="aisexec" key=2077889314 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm host=mrg-qe-02.lab.eng.brq.redhat.com type=SYSCALL msg=audit(1259671942.556:48805): arch=c000003e syscall=31 success=no exit=-13 a0=e78000 a1=0 a2=0 a3=0 items=0 ppid=1 pid=10536 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4486 comm="aisexec" exe="/usr/sbin/aisexec" subj=root:system_r:ccs_t:s0 key=(null) Summary: SELinux is preventing aisexec (ccs_t) "destroy" to <Unknown> (initrc_t). Detailed Description: SELinux denied access requested by aisexec. It is not expected that this access is required by aisexec and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:ccs_t Target Context root:system_r:initrc_t Target Objects None [ sem ] Source aisexec Source Path /usr/sbin/aisexec Port <Unknown> Host mrg-qe-02.lab.eng.brq.redhat.com Source RPM Packages openais-0.80.6-8.el5_4.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-255.el5_4.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name mrg-qe-02.lab.eng.brq.redhat.com Platform Linux mrg-qe-02.lab.eng.brq.redhat.com 2.6.18-164.6.1.el5 #1 SMP Tue Oct 27 11:28:30 EDT 2009 x86_64 x86_64 Alert Count 25 First Seen Fri Nov 27 07:29:20 2009 Last Seen Tue Dec 1 07:52:22 2009 Local ID 789128c9-7882-4892-b753-6204a805e56b Line Numbers Raw Audit Messages host=mrg-qe-02.lab.eng.brq.redhat.com type=AVC msg=audit(1259671942.556:48806): avc: denied { destroy } for pid=10536 comm="aisexec" key=12019647 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem host=mrg-qe-02.lab.eng.brq.redhat.com type=SYSCALL msg=audit(1259671942.556:48806): arch=c000003e syscall=66 success=no exit=-13 a0=e68000 a1=0 a2=0 a3=ffffffffffffffb0 items=0 ppid=1 pid=10536 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4486 comm="aisexec" exe="/usr/sbin/aisexec" subj=root:system_r:ccs_t:s0 key=(null) ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x7bda1322 15171584 qpidd 600 3000008 0 ------ Semaphore Arrays -------- key semid owner perms nsems 0x00b767bf 15106048 qpidd 600 3 [root@mrg-qe-02 ~]# [root@mrg-qe-02 ~]# service openais stop Stopping OpenAIS daemon (aisexec): [ OK ] [root@mrg-qe-02 ~]# echo $? ; procdump ; sedump 0 -rw------- 1 root root 2695 Dec 1 07:52 /var/log/audit/audit.log type=AVC msg=audit(1259671942.556:48805): avc: denied { destroy } for pid=10536 comm="aisexec" key=2077889314 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm type=AVC msg=audit(1259671942.556:48806): avc: denied { destroy } for pid=10536 comm="aisexec" key=12019647 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x7bda1322 15171584 qpidd 600 3000008 0 ------ Semaphore Arrays -------- key semid owner perms nsems 0x00b767bf 15106048 qpidd 600 3
Is SELinux for clusters supported in 5.4.Z ?
The policy is being worked on. Could you try the policy in http://people.redhat.com/dwalsh/SELinux/RHEL5
Should be fixed in RHEL5.5 selinux-policy. The latest policy is selinux-policy-2.4.6-267.el5 to testing. I am closing it as NEXTRELEASE.