Created attachment 408105 [details] AVC denied message from audit.log Description of problem: When SELinux is in enforcing mode, the piranha-gui service from Linux Virtual Server cannot be started. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-279.el5 piranha-0.8.4-16.el5 How reproducible: always Steps to Reproduce: 1. yum install piranha 2. piranha-passwd 3. service piranha-gui start Actual results: Starting piranha-gui: (13)Permission denied: make_sock: could not bind to address [::]:3636 (13)Permission denied: make_sock: could not bind to address 0.0.0.0:3636 no listening sockets available, shutting down Unable to open logs [FAILED] Expected results: Linux Virtual Server should work with SELinux in enforcing mode. Additional info: The AVC denied messages are attached. These are from starting piranha-gui in SELinux permissive mode, configuring an HTTP service in Piranha, and starting the pulse system service.
# semanage port -a -t http_port_t -p tcp 3636 # chcon -R -t httpd_var_lib_t /var/log/piranha/ Should get it started. What avc messages do you get then? Why is httpd trying to start the pulse service?
(In reply to comment #1) > # semanage port -a -t http_port_t -p tcp 3636 > # chcon -R -t httpd_var_lib_t /var/log/piranha/ > > Should get it started. What avc messages do you get then? piranha-gui starts with these changes, but there are still AVC denied messages, attached as avc-denied-2.txt. > Why is httpd trying to start the pulse service? pulse is not started by httpd, but by running "service pulse start" on the command line. That's done after the HA service has been configured in Piranha, to monitor the application servers.
Created attachment 408254 [details] AVC denied message after changes from comment #1
type=AVC msg=audit(1271921838.376:572): avc: denied { execute_no_trans } for pid=32507 comm="sh" path="/etc/rc.d/init.d/pulse" dev=dm-0 ino=888183 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file This AVC shows a process running as httpd_t attempting to execute_no_trans /etc/rc.d/init.d/pulse? If this was started by hand the process trying to start the init script would be unconfined_t.
(In reply to comment #4) > This AVC shows a process running as httpd_t attempting to execute_no_trans > /etc/rc.d/init.d/pulse? Right, overlooked that. I guess that Piranha automatically starts the pulse system service as soon as a HA service is defined and activated in the Web UI.
Any chance you could move this to the pulseaudio_gui script to start it rather then httpd? We will have to give a ton of privs to piranha if it is allowed to start other services. I think Miroslav is working on pulse policy now.
(In reply to comment #6) > Any chance you could move this to the pulseaudio_gui script to start it rather > then httpd? "pulse" in this ticket is not pulseaudio. In Linux Virtual Server, pulse is "the controlling daemon that spawns off the lvs daemon as well as heartbeating and monitoring of services on the real servers". > We will have to give a ton of privs to piranha if it is allowed to start other > services. Someone from the cluster team has to reply to this.
I would imagine that this is not much different than the privileges given to rgmanager since it also invokes other daemons through their init scripts. So the same technique used to provide SELinux policy to rgmanager could be used for piranha perhaps? mgrepl helped out with the policy generation for rgmanager iirc, so cc'ing here for his thoughts.
@Carsten: Yes, pulse can run monitoring scripts. Difference between pulse and rgmanager is that there are just user-defined scripts (in rgmanager there are both user-defined and our resource agents)
From my point of view we need to create a policy for these daemons pulse - heartbeating daemon for monitoring the health of cluster nodes lvsd - daemon to control the Red Hat clustering services. and also for piranha_gui, but there is needed the change which Dan described here: https://bugzilla.redhat.com/show_bug.cgi?id=584451#c2
Piranha policy will add to selinux-policy-2.4.6-280.el5. Preview is available on http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch Please test and tell us what blows up on you. The following workaround is needed for piranha-gui # service piranha-gui stop # chcon -t piranha_web_exec_t /usr/sbin/httpd # service piranha-gui start # restorecon -R -v /usr/sbin/httpd
With selinux-policy-2.4.6-280.el5, I still get two AVC denied messages: type=AVC msg=audit(1273650686.040:394): avc: denied { ptrace } for pid=5299 comm="ps" scontext=root:system_r:piranha_web_t:s0 tcontext=root:system_r:piranha_web_t:s0 tclass=process type=AVC msg=audit(1273650944.812:395): avc: denied { read write } for pid=5376 comm="ipvsadm" path="socket:[64405]" dev=sockfs ino=64405 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:piranha_lvs_t:s0 tclass=rawip_socket
Fixed in selinux-policy-2.4.6-281.el5.noarch
Fixed in selinux-policy-2.4.6-287.el5.noarch
Fixed in selinux-policy-2.4.6-296.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Prior to this update, SELinux did not support Piranha, a set of miscellaneous tools to administer and configure the Linux Virtual server, as well as heartbeating and failover components. Consequent to this, users of Piranha with SELinux running in the enforcing mode could encounter various issues. With this update, a new SELinux policy for these tools have been added, resolving these issues.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html