Bug 543374 - openais selinux policy rules issue (sem/shm destroy action denied)
openais selinux policy rules issue (sem/shm destroy action denied)
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4.z
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-02 04:55 EST by Frantisek Reznicek
Modified: 2015-11-15 20:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-21 07:11:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
reproducer (1.38 KB, text/plain)
2009-12-02 04:55 EST, Frantisek Reznicek
no flags Details

  None (edit)
Description Frantisek Reznicek 2009-12-02 04:55:00 EST
Created attachment 375381 [details]
reproducer

Description of problem:

Openais SELinux policy does not allow openais/aisexec to clean-up shared memory and shared semaphores which leads to shared memory leak.

The SELinux AVC messages are dumped around the time of qpidd shutdown.

  type=AVC msg=audit(1259669696.045:48733): avc:  denied  { destroy } for  pid=9419 comm="aisexec" key=202628669 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm
  type=AVC msg=audit(1259669696.046:48734): avc:  denied  { destroy } for  pid=9419 comm="aisexec" key=1586332284 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem


The SELinux AVC messages highlights that qpidd stopped as the service initiates aisexec to clean-up shared memory elements:

  [root@mrg-qe-02 ~]# echo $? ; procdump ; sedump
  0
  -rw------- 1 root root 2684 Dec  1 07:14 /var/log/audit/audit.log
  type=AVC msg=audit(1259669696.045:48733): avc:  denied  { destroy } for  pid=9419 comm="aisexec" key=202628669 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm
  type=AVC msg=audit(1259669696.046:48734): avc:  denied  { destroy } for  pid=9419 comm="aisexec" key=1586332284 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem

  ------ Shared Memory Segments --------
  key        shmid      owner      perms      bytes      nattch     status
  0x0c13de3d 14974976   qpidd     600        3000008    0

  ------ Semaphore Arrays --------
  key        semid      owner      perms      nsems
  0x5e8d827c 14909440   qpidd     600        3

It seems aisexec tries to clean up but has no permissions for that and/or SELinux blocks it.




Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-255.el5_4.1
openais-0.80.6-8.el5_4.1
openais-0.80.6-8.el5_4.1
qpidd-0.5.752581-34.el5
qpidc-perftest-0.5.752581-34.el5


How reproducible:
100%

Steps to Reproduce:
1. see attached reproducer
  
Actual results:
openais/aisexec is not able to clean-up shared memory elements which leand to shared memory leak.

Expected results:
No shared memory leak is expected.

Additional info (reproducer run):

The run including shared memory dump:

[root@mrg-qe-02 ~]# # clean up shared memory/sem elements
[root@mrg-qe-02 ~]# ipcs -s | egrep '(qpid|aise)' | awk '{if($2~/[0-9]+/){print "ipcrm -s "$2}}' | sh
[root@mrg-qe-02 ~]# ipcs -m | egrep '(qpid|aise)' | awk '{if($2~/[0-9]+/){print "ipcrm -m "$2}}' | sh
[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]# getenforce
Enforcing
[root@mrg-qe-02 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 38105 packets, 4765K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 16649 packets, 2201K bytes)
 pkts bytes target     prot opt in     out     source               destination
[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]# cat /etc/qpidd.conf
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#
# Configuration file for qpidd. Entries are of the form:
#   name=value
#
# (Note: no spaces on either side of '='). Using default settings:
# "qpidd --help" or "man qpidd" for more details.
cluster-mechanism=ANONYMOUS
cluster-name=xxxy
log-enable=trace+
[root@mrg-qe-02 ~]# cat /etc/ais/openais.conf
# Please read the openais.conf.5 manual page

totem {
        version: 2
        secauth: off
        threads: 0
        interface {
                ringnumber: 0
bindnetaddr: 10.34.32.0
                mcastaddr: 226.94.1.1
                mcastport: 5405
#mcastaddr: 226.94.11.12
#mcastport: 11112
        }
}

logging {
debug: on
timestamp: on
to_file: yes
logfile: /tmp/openais.log
}

amf {
        mode: disabled
}
[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]# service openais status && service openais stop
aisexec is stopped
[root@mrg-qe-02 ~]# echo $? ; procdump ; sedump
3
-rw------- 1 root root 2695 Dec  1 07:52 /var/log/audit/audit.log
type=AVC msg=audit(1259671923.476:48795): avc:  denied  { destroy } for  pid=10366 comm="aisexec" key=1639281690 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm
type=AVC msg=audit(1259671923.476:48796): avc:  denied  { destroy } for  pid=10366 comm="aisexec" key=90134632 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem

------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status

------ Semaphore Arrays --------
key        semid      owner      perms      nsems

[root@mrg-qe-02 ~]# :> /var/log/audit/audit.log
[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]# service openais start
Starting OpenAIS daemon (aisexec):                         [  OK  ]
[root@mrg-qe-02 ~]# echo $? ; procdump ; sedump
0
udp        0      0 10.34.33.55:5405            0.0.0.0:*                               10536/aisexec
udp        0      0 10.34.33.55:5149            0.0.0.0:*                               10536/aisexec
udp        0      0 226.94.1.1:5405             0.0.0.0:*                               10536/aisexec
root     10536  0.0  0.1 114480 15924 pts/1    SLl  07:52   0:00 /usr/sbin/aisexec
-rw------- 1 root root 0 Dec  1 07:52 /var/log/audit/audit.log

------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status

------ Semaphore Arrays --------
key        semid      owner      perms      nsems

[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]# service qpidd start
Starting Qpid AMQP daemon: 2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/acl.so
2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/xml.so
2009-dec-01 07:52:21 info SSL connector not enabled, you must set QPID_SSL_CERT_DB to enable it.
2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/client/sslconnector.so
2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/client/rdmaconnector.so
2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/cluster.so
2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/msgstore.so
2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/rdma.so
2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/ssl.so
2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/replication_exchange.so
2009-dec-01 07:52:21 info Loaded Module: /usr/lib64/qpid/daemon/replicating_listener.so
                                                           [  OK  ]
2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/acl.so
2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/xml.so
2009-dec-01 07:52:22 info SSL connector not enabled, you must set QPID_SSL_CERT_DB to enable it.
2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/client/sslconnector.so
2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/client/rdmaconnector.so
2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/cluster.so
2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/msgstore.so
2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/rdma.so
2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/ssl.so
2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/replication_exchange.so
2009-dec-01 07:52:22 info Loaded Module: /usr/lib64/qpid/daemon/replicating_listener.so
[root@mrg-qe-02 ~]# echo $? ; procdump ; sedump
0
tcp        0      0 0.0.0.0:5672                0.0.0.0:*                   LISTEN      10582/qpidd
udp        0      0 10.34.33.55:5405            0.0.0.0:*                               10536/aisexec
udp        0      0 10.34.33.55:5149            0.0.0.0:*                               10536/aisexec
udp        0      0 226.94.1.1:5405             0.0.0.0:*                               10536/aisexec
unix  2      [ ACC ]     STREAM     LISTENING     35707752 10536/aisexec       @libais.socket
root     10536  4.0  0.2 117608 19056 pts/1    SLl  07:52   0:00 /usr/sbin/aisexec
qpidd    10582  3.0  0.0 312480  5312 ?        Ssl  07:52   0:00 /usr/sbin/qpidd --daemon --pid-dir /var/run/qpidd --data-dir /var/lib/qpidd
-rw------- 1 root root 1700 Dec  1 07:52 /var/log/audit/audit.log

------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status
0x7bda1322 15171584   qpidd     600        3000008    2

------ Semaphore Arrays --------
key        semid      owner      perms      nsems
0x00b767bf 15106048   qpidd     600        3

[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]# service qpidd stop
Stopping Qpid AMQP daemon:                                 [  OK  ]
[root@mrg-qe-02 ~]# echo $? ; procdump ; sedump 1
0
udp        0      0 10.34.33.55:5405            0.0.0.0:*                               10536/aisexec
udp        0      0 10.34.33.55:5149            0.0.0.0:*                               10536/aisexec
udp        0      0 226.94.1.1:5405             0.0.0.0:*                               10536/aisexec
unix  2      [ ACC ]     STREAM     LISTENING     35707752 10536/aisexec       @libais.socket
root     10536  5.0  0.1 116780 16188 pts/1    SLl  07:52   0:00 /usr/sbin/aisexec
-rw------- 1 root root 2695 Dec  1 07:52 /var/log/audit/audit.log
type=AVC msg=audit(1259671942.556:48805): avc:  denied  { destroy } for  pid=10536 comm="aisexec" key=2077889314 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm
type=AVC msg=audit(1259671942.556:48806): avc:  denied  { destroy } for  pid=10536 comm="aisexec" key=12019647 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem
Dec  1 07:52:22 mrg-qe-02 setroubleshoot: SELinux is preventing aisexec (ccs_t) "destroy" to <Unknown> (initrc_t). For complete SELinux messages. run sealert -l 2c8df27f-f2a4-45f1-b5ba-1d6122cd5c95
Dec  1 07:52:22 mrg-qe-02 setroubleshoot: SELinux is preventing aisexec (ccs_t) "destroy" to <Unknown> (initrc_t). For complete SELinux messages. run sealert -l 789128c9-7882-4892-b753-6204a805e56b

Summary:

SELinux is preventing aisexec (ccs_t) "destroy" to <Unknown> (initrc_t).

Detailed Description:

SELinux denied access requested by aisexec. It is not expected that this access
is required by aisexec and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:ccs_t
Target Context                root:system_r:initrc_t
Target Objects                None [ shm ]
Source                        aisexec
Source Path                   /usr/sbin/aisexec
Port                          <Unknown>
Host                          mrg-qe-02.lab.eng.brq.redhat.com
Source RPM Packages           openais-0.80.6-8.el5_4.1
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-255.el5_4.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     mrg-qe-02.lab.eng.brq.redhat.com
Platform                      Linux mrg-qe-02.lab.eng.brq.redhat.com
                              2.6.18-164.6.1.el5 #1 SMP Tue Oct 27 11:28:30 EDT
                              2009 x86_64 x86_64
Alert Count                   25
First Seen                    Fri Nov 27 07:29:20 2009
Last Seen                     Tue Dec  1 07:52:22 2009
Local ID                      2c8df27f-f2a4-45f1-b5ba-1d6122cd5c95
Line Numbers

Raw Audit Messages

host=mrg-qe-02.lab.eng.brq.redhat.com type=AVC msg=audit(1259671942.556:48805): avc:  denied  { destroy } for  pid=10536 comm="aisexec" key=2077889314 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm

host=mrg-qe-02.lab.eng.brq.redhat.com type=SYSCALL msg=audit(1259671942.556:48805): arch=c000003e syscall=31 success=no exit=-13 a0=e78000 a1=0 a2=0 a3=0 items=0 ppid=1 pid=10536 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4486 comm="aisexec" exe="/usr/sbin/aisexec" subj=root:system_r:ccs_t:s0 key=(null)




Summary:

SELinux is preventing aisexec (ccs_t) "destroy" to <Unknown> (initrc_t).

Detailed Description:

SELinux denied access requested by aisexec. It is not expected that this access
is required by aisexec and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:ccs_t
Target Context                root:system_r:initrc_t
Target Objects                None [ sem ]
Source                        aisexec
Source Path                   /usr/sbin/aisexec
Port                          <Unknown>
Host                          mrg-qe-02.lab.eng.brq.redhat.com
Source RPM Packages           openais-0.80.6-8.el5_4.1
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-255.el5_4.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     mrg-qe-02.lab.eng.brq.redhat.com
Platform                      Linux mrg-qe-02.lab.eng.brq.redhat.com
                              2.6.18-164.6.1.el5 #1 SMP Tue Oct 27 11:28:30 EDT
                              2009 x86_64 x86_64
Alert Count                   25
First Seen                    Fri Nov 27 07:29:20 2009
Last Seen                     Tue Dec  1 07:52:22 2009
Local ID                      789128c9-7882-4892-b753-6204a805e56b
Line Numbers

Raw Audit Messages

host=mrg-qe-02.lab.eng.brq.redhat.com type=AVC msg=audit(1259671942.556:48806): avc:  denied  { destroy } for  pid=10536 comm="aisexec" key=12019647 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem

host=mrg-qe-02.lab.eng.brq.redhat.com type=SYSCALL msg=audit(1259671942.556:48806): arch=c000003e syscall=66 success=no exit=-13 a0=e68000 a1=0 a2=0 a3=ffffffffffffffb0 items=0 ppid=1 pid=10536 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4486 comm="aisexec" exe="/usr/sbin/aisexec" subj=root:system_r:ccs_t:s0 key=(null)




------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status
0x7bda1322 15171584   qpidd     600        3000008    0

------ Semaphore Arrays --------
key        semid      owner      perms      nsems
0x00b767bf 15106048   qpidd     600        3

[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]# service openais stop
Stopping OpenAIS daemon (aisexec):                         [  OK  ]
[root@mrg-qe-02 ~]# echo $? ; procdump ; sedump
0
-rw------- 1 root root 2695 Dec  1 07:52 /var/log/audit/audit.log
type=AVC msg=audit(1259671942.556:48805): avc:  denied  { destroy } for  pid=10536 comm="aisexec" key=2077889314 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=shm
type=AVC msg=audit(1259671942.556:48806): avc:  denied  { destroy } for  pid=10536 comm="aisexec" key=12019647 scontext=root:system_r:ccs_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=sem

------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status
0x7bda1322 15171584   qpidd     600        3000008    0

------ Semaphore Arrays --------
key        semid      owner      perms      nsems
0x00b767bf 15106048   qpidd     600        3
Comment 1 Christine Caulfield 2009-12-02 08:55:09 EST
Is SELinux for clusters supported in 5.4.Z ?
Comment 2 Daniel Walsh 2009-12-02 09:17:49 EST
The policy is being worked on.  Could you try the policy in 

http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 3 Miroslav Grepl 2009-12-21 07:11:20 EST
Should be fixed in RHEL5.5 selinux-policy. The latest policy is selinux-policy-2.4.6-267.el5 to testing. 

I am closing it as NEXTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.