Bug 547711 - SELinux fails cman startup
SELinux fails cman startup
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-15 09:18 EST by Christine Caulfield
Modified: 2010-03-19 23:31 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.6.32-103.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-19 23:31:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
corosync local policy (278 bytes, application/octet-stream)
2010-03-08 06:49 EST, Miroslav Grepl
no flags Details

  None (edit)
Description Christine Caulfield 2009-12-15 09:18:15 EST
Description of problem:

With latest Fedora12 (and rawhide) packages, cman fails to start up due to SELinux AVCs

Version-Release number of selected component (if applicable):
cman-3.0.6-1.fc12.x86_64
selinux-policy-3.6.32-55.fc12.noarch

How reproducible:
Every time

Steps to Reproduce:
1. # yum install cman
2. Configure a basic cluster.conf
3. # service cman start
  
Actual results:
# service cman start
Starting cluster: 
   Global setup...                                         [  OK  ]
   Loading kernel modules...                               [  OK  ]
   Mounting configfs...                                    [  OK  ]
   Starting cman...                                        [  OK  ]
   Waiting for quorum...                                   [  OK  ]
   Starting fenced...                                      [  OK  ]
   Starting dlm_controld...                                [  OK  ]
   Starting gfs_controld...                                [  OK  ]
   Unfencing self... fence_node: cannot connect to cman
                                                           [FAILED]

Expected results:

cman and all services to start fully.


Additional info:

audit.log contains:

type=AVC msg=audit(1260886087.629:18246): avc:  denied  { read write } for  pid=1643 comm="corosync" name="control_buffer-nthIsl" dev=tmpfs ino=13417 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1260886087.629:18246): avc:  denied  { open } for  pid=1643 comm="corosync" name="control_buffer-nthIsl" dev=tmpfs ino=13417 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1260886087.629:18246): arch=c000003e syscall=2 success=yes exit=13 a0=ad9e58 a1=2 a2=180 a3=7fff0608dbc0 items=0 ppid=1632 pid=1643 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="corosync" exe="/usr/sbin/corosync" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1260886087.629:18247): avc:  denied  { unlink } for  pid=1643 comm="corosync" name="control_buffer-nthIsl" dev=tmpfs ino=13417 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1260886087.629:18247): arch=c000003e syscall=87 success=yes exit=0 a0=ad9e58 a1=2 a2=d a3=7fff0608dbc0 items=0 ppid=1632 pid=1643 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="corosync" exe="/usr/sbin/corosync" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1260886087.635:18248): avc:  denied  { search } for  pid=1643 comm="corosync" name="1632" dev=proc ino=13230 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=dir
type=AVC msg=audit(1260886087.635:18248): avc:  denied  { read } for  pid=1643 comm="corosync" name="stat" dev=proc ino=13280 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=file
type=AVC msg=audit(1260886087.635:18248): avc:  denied  { open } for  pid=1643 comm="corosync" name="stat" dev=proc ino=13280 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=file
type=SYSCALL msg=audit(1260886087.635:18248): arch=c000003e syscall=2 success=yes exit=13 a0=7fff0608ddf0 a1=0 a2=1b6 a3=0 items=0 ppid=1632 pid=1643 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="corosync" exe="/usr/sbin/corosync" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1260886087.636:18249): avc:  denied  { getattr } for  pid=1643 comm="corosync" path="/proc/1632/stat" dev=proc ino=13280 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=file
type=SYSCALL msg=audit(1260886087.636:18249): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7fff0608db40 a2=7fff0608db40 a3=7fff0608da40 items=0 ppid=1632 pid=1643 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="corosync" exe="/usr/sbin/corosync" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1260886090.444:18250): avc:  denied  { write } for  pid=1801 comm="fence_node" name="cman_client" dev=dm-0 ino=20619 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1260886090.444:18250): arch=c000003e syscall=42 success=yes exit=128 a0=3 a1=7fff55932dd0 a2=6e a3=7fff55932b60 items=0 ppid=1800 pid=1801 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="fence_node" exe="/usr/sbin/fence_node" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=MAC_POLICY_LOAD msg=audit(1260886182.765:18251): policy loaded auid=0 ses=1
type=SYSCALL msg=audit(1260886182.765:18251): arch=c000003e syscall=1 success=yes exit=128 a0=4 a1=7f1c41dc5000 a2=432cbc a3=7fffd7ea8e50 items=0 ppid=1820 pid=1821 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1260886212.098:18252): avc:  denied  { search } for  pid=1932 comm="corosync" name="2085" dev=proc ino=17308 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:fenced_t:s0 tclass=dir
type=AVC msg=audit(1260886212.098:18252): avc:  denied  { read } for  pid=1932 comm="corosync" name="stat" dev=proc ino=17309 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:fenced_t:s0 tclass=file
type=AVC msg=audit(1260886212.098:18252): avc:  denied  { open } for  pid=1932 comm="corosync" name="stat" dev=proc ino=17309 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:fenced_t:s0 tclass=file
type=SYSCALL msg=audit(1260886212.098:18252): arch=c000003e syscall=2 success=yes exit=23 a0=7fffe10f0a40 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1932 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="corosync" exe="/usr/sbin/corosync" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1260886212.099:18253): avc:  denied  { getattr } for  pid=1932 comm="corosync" path="/proc/2085/stat" dev=proc ino=17309 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:system_r:fenced_t:s0 tclass=file
type=SYSCALL msg=audit(1260886212.099:18253): arch=c000003e syscall=5 success=yes exit=0 a0=17 a1=7fffe10f0790 a2=7fffe10f0790 a3=0 items=0 ppid=1 pid=1932 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="corosync" exe="/usr/sbin/corosync" subj=unconfined_u:system_r:corosync_t:s0 key=(null)


audit2allow -R returns:


require {
        type corosync_t;
        type fenced_t;
        type corosync_var_run_t;
        type initrc_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class dir search;
}

#============= corosync_t ==============
allow corosync_t initrc_t:dir search;
fs_manage_tmpfs_files(corosync_t)
init_read_script_state(corosync_t)

#============= fenced_t ==============
allow fenced_t corosync_t:unix_stream_socket connectto;
allow fenced_t corosync_var_run_t:sock_file write;
Comment 1 Christine Caulfield 2009-12-15 09:22:18 EST
Maybe I should also add that turning the above audit2allow output into a policy fixes the problem.
Comment 2 Daniel Walsh 2009-12-15 09:31:06 EST
Is there a process running as initrc_t?

Who created the tmpfs file control_buffer-nthIsl
Comment 3 Daniel Walsh 2009-12-15 09:31:44 EST
I have added

optional_policy(`
	corosync_stream_connect(fenced_t)
')

To F12 and Rawhide, probably need this in RHEL5?
Comment 4 Christine Caulfield 2009-12-15 10:02:19 EST
I think it's the 'unfence' operation running as part of the init script that's running as initrc_t.

the control_buffer is created as part of the corosync IPC mechanism. Again this is most likely to be fence_tool during the unfencing stage of startup.

In RHEL5 it will probably be aisexec_stream_connect rather than corosync, but the communicationm methods are the same, yes
Comment 5 Daniel Walsh 2009-12-16 13:55:23 EST
Miroslav if we label unfence as fencd_exec_t, does this problem go away?
Comment 6 Miroslav Grepl 2009-12-16 14:46:08 EST
(In reply to comment #5)
> Miroslav if we label unfence as fencd_exec_t, does this problem go away?  

I believe, that yes. We have labeling for '/usr/sbin/fence_node' as 'fenced_exec_t' in the rhcs policy and I guess, that this is the same case. I will try it. 


Chrissie, 
could you also test it and add this labeling using 'chcon' command.
Comment 7 Christine Caulfield 2009-12-17 05:54:54 EST
It seems that unfencing is actually done by the fence_node command (fence_node -U). 

I'll do some more investigation.
Comment 8 Christine Caulfield 2009-12-17 08:52:06 EST
I *think* that the problem is that fence_tool talks to both corosync and fenced when it attempts and unfence operation.

If I 

# chcon -t corosync_exec_t /usr/sbin/fence_node 

then things work, but I'm worried that it might affect other things that I haven't yet re-tested
Comment 9 Miroslav Grepl 2010-02-04 12:45:00 EST
(In reply to comment #8)
> I *think* that the problem is that fence_tool talks to both corosync and fenced
> when it attempts and unfence operation.
> 
> If I 
> 
> # chcon -t corosync_exec_t /usr/sbin/fence_node 
> 
> then things work, but I'm worried that it might affect other things that I
> haven't yet re-tested    

Chrissie,
 
I am playing with that but I am still seeing the problem related with the tmpfs file control_buffer-nthIsl.
Comment 10 Christine Caulfield 2010-02-05 04:59:02 EST
Oddly things seem to start up now (latest fedora12)

selinux-policy-3.6.32-78.fc12.noarch

But there are still some errors related to fencing:

allow corosync_t fenced_t:dir search;
allow corosync_t fenced_t:file { read getattr open };
#!!!! The source type 'corosync_t' can write to a 'file' of the following types:
# gfs_controld_tmpfs_t, dlm_controld_tmpfs_t, corosync_var_log_t, fenced_tmpfs_t, corosync_tmp_t, var_lib_t, corosync_tmpfs_t, corosync_var_lib_t, corosync_var_run_t, root_t
Comment 11 Miroslav Grepl 2010-02-05 05:21:36 EST
(In reply to comment #10)
> Oddly things seem to start up now (latest fedora12)
> 
> selinux-policy-3.6.32-78.fc12.noarch
> 
> But there are still some errors related to fencing:
> 
> allow corosync_t fenced_t:dir search;
> allow corosync_t fenced_t:file { read getattr open };

These are fixed in selinux-policy-3.6.32-84.fc12.noarch. This release should be in the updates-testing repo.
Comment 12 Christine Caulfield 2010-02-05 06:21:03 EST
That is much better :-)

I still get this though:

allow corosync_t tmpfs_t:file { read write unlink open };
Comment 13 Miroslav Grepl 2010-02-05 07:04:44 EST
Yes, I am trying to find a solution for this one but without success.
Comment 14 Daniel Walsh 2010-02-05 10:51:35 EST
Who is creating the tmpfs_t?  If it is created by corosync, why not create corosync_tmpfs_t and have it transition?
Comment 15 Miroslav Grepl 2010-03-05 10:31:43 EST
Dan, 
I missed your last comment.

Chrissie, 
I have checked cman init script again and it looks like cman_tool is creating the tmpfs_t in this case.

cman_tool -t $CMAN_CLUSTER_TIMEOUT -w join $cman_join_opts


So I guess we need a policy for cman_tool.
Comment 16 Daniel Walsh 2010-03-05 11:58:59 EST
Or have it run as corosync_t?
Comment 17 Christine Caulfield 2010-03-08 05:23:01 EST
cman_tool communicates with corosync over a named pipe, that's largely all it does so making it run as corosync_t makes sense I think.
Comment 18 Miroslav Grepl 2010-03-08 06:49:56 EST
Created attachment 398510 [details]
corosync local policy

Chrissie, 
could you try to test corosync local policy which I attached.

# chcon -t corosync_exec_t /usr/sbin/cman_tool
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mycorosync.pp
Comment 19 Christine Caulfield 2010-03-08 09:02:59 EST
Hiya,

That works fine for me. I now get a totally clean startup :-)
Comment 20 Miroslav Grepl 2010-03-08 10:06:15 EST
Fixed in selinux-policy-3.6.32-100.fc12
Comment 21 Fedora Update System 2010-03-15 18:17:18 EDT
selinux-policy-3.6.32-103.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12
Comment 22 Fedora Update System 2010-03-16 19:23:34 EDT
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12
Comment 23 Fedora Update System 2010-03-19 23:29:33 EDT
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.