Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 584447 - ipvsadm/piranha does not work with SELinux enabled
ipvsadm/piranha does not work with SELinux enabled
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 584451 604741 604742
  Show dependency treegraph
 
Reported: 2010-04-21 11:26 EDT by Carsten Clasohm
Modified: 2016-04-26 10:03 EDT (History)
14 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-296.el5
Doc Type: Bug Fix
Doc Text:
Prior to this update, SELinux did not support Piranha, a set of miscellaneous tools to administer and configure the Linux Virtual server, as well as heartbeating and failover components. Consequent to this, users of Piranha with SELinux running in the enforcing mode could encounter various issues. With this update, a new SELinux policy for these tools have been added, resolving these issues.
Story Points: ---
Clone Of:
: 584451 (view as bug list)
Environment:
Last Closed: 2011-01-13 16:49:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVC denied message from audit.log (21.85 KB, text/plain)
2010-04-21 11:26 EDT, Carsten Clasohm
no flags Details
AVC denied message after changes from comment #1 (30.42 KB, text/plain)
2010-04-22 03:45 EDT, Carsten Clasohm
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 11:11:15 EST

  None (edit)
Description Carsten Clasohm 2010-04-21 11:26:53 EDT
Created attachment 408105 [details]
AVC denied message from audit.log

Description of problem:

When SELinux is in enforcing mode, the piranha-gui service from Linux Virtual Server cannot be started.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.4.6-279.el5
piranha-0.8.4-16.el5


How reproducible:

always


Steps to Reproduce:
1. yum install piranha
2. piranha-passwd
3. service piranha-gui start
  
Actual results:

Starting piranha-gui: (13)Permission denied: make_sock: could not bind to address [::]:3636
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:3636
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

Expected results:

Linux Virtual Server should work with SELinux in enforcing mode.


Additional info:

The AVC denied messages are attached. These are from starting piranha-gui in SELinux permissive mode, configuring an HTTP service in Piranha, and starting the pulse system service.
Comment 1 Daniel Walsh 2010-04-21 12:34:55 EDT
    # semanage port -a -t http_port_t -p tcp 3636
    # chcon -R -t httpd_var_lib_t /var/log/piranha/

    Should get it started.  What avc messages do you get then?  

    Why is httpd trying to start the pulse service?
Comment 2 Carsten Clasohm 2010-04-22 03:44:17 EDT
(In reply to comment #1)
>     # semanage port -a -t http_port_t -p tcp 3636
>     # chcon -R -t httpd_var_lib_t /var/log/piranha/
> 
>     Should get it started.  What avc messages do you get then?  

piranha-gui starts with these changes, but there are still AVC denied messages, attached as avc-denied-2.txt.

>     Why is httpd trying to start the pulse service?    

pulse is not started by httpd, but by running "service pulse start" on the command line. That's done after the HA service has been configured in Piranha, to monitor the application servers.
Comment 3 Carsten Clasohm 2010-04-22 03:45:39 EDT
Created attachment 408254 [details]
AVC denied message after changes from comment #1
Comment 4 Daniel Walsh 2010-04-22 08:38:37 EDT
type=AVC msg=audit(1271921838.376:572): avc:  denied  { execute_no_trans } for  pid=32507 comm="sh" path="/etc/rc.d/init.d/pulse" dev=dm-0 ino=888183 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file

This AVC shows a process running as httpd_t attempting to execute_no_trans /etc/rc.d/init.d/pulse?

If this was started by hand the process trying to start the init script would be unconfined_t.
Comment 5 Carsten Clasohm 2010-04-23 06:55:46 EDT
(In reply to comment #4)
> This AVC shows a process running as httpd_t attempting to execute_no_trans
> /etc/rc.d/init.d/pulse?

Right, overlooked that. I guess that Piranha automatically starts the pulse system service as soon as a HA service is defined and activated in the Web UI.
Comment 6 Daniel Walsh 2010-04-23 09:17:52 EDT
Any chance you could move this to the pulseaudio_gui script to start it rather then httpd?

We will have to give a ton of privs to piranha if it is allowed to start other services.

I think Miroslav is working on pulse policy now.
Comment 7 Carsten Clasohm 2010-04-23 10:05:41 EDT
(In reply to comment #6)
> Any chance you could move this to the pulseaudio_gui script to start it rather
> then httpd?

"pulse" in this ticket is not pulseaudio.

In Linux Virtual Server, pulse is "the controlling daemon that spawns off the lvs daemon as well as heartbeating and monitoring of services on the real servers".

> We will have to give a ton of privs to piranha if it is allowed to start other
> services.

Someone from the cluster team has to reply to this.
Comment 8 Perry Myers 2010-04-23 10:15:03 EDT
I would imagine that this is not much different than the privileges given to rgmanager since it also invokes other daemons through their init scripts.  So the same technique used to provide SELinux policy to rgmanager could be used for piranha perhaps?

mgrepl helped out with the policy generation for rgmanager iirc, so cc'ing here for his thoughts.
Comment 9 Marek Grac 2010-04-23 10:35:33 EDT
@Carsten:

Yes, pulse can run monitoring scripts. Difference between pulse and rgmanager is that there are just user-defined scripts (in rgmanager there are both user-defined and our resource agents)
Comment 10 Miroslav Grepl 2010-04-26 03:20:40 EDT
From my point of view we need to create a policy for these daemons

pulse - heartbeating daemon for monitoring the health of cluster nodes
lvsd - daemon to control the Red Hat clustering services.

and also for piranha_gui, but there is needed the change which Dan described here:

https://bugzilla.redhat.com/show_bug.cgi?id=584451#c2
Comment 17 Miroslav Grepl 2010-05-11 08:46:17 EDT
Piranha policy will add to selinux-policy-2.4.6-280.el5. 

Preview is available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch

Please test and tell us what blows up on you.



The following workaround is needed for piranha-gui

# service piranha-gui stop
# chcon -t piranha_web_exec_t /usr/sbin/httpd
# service piranha-gui start
# restorecon -R -v /usr/sbin/httpd
Comment 18 Carsten Clasohm 2010-05-12 03:58:41 EDT
With selinux-policy-2.4.6-280.el5, I still get two AVC denied messages:

type=AVC msg=audit(1273650686.040:394): avc:  denied  { ptrace } for  pid=5299 comm="ps" scontext=root:system_r:piranha_web_t:s0 tcontext=root:system_r:piranha_web_t:s0 tclass=process

type=AVC msg=audit(1273650944.812:395): avc:  denied  { read write } for  pid=5376 comm="ipvsadm" path="socket:[64405]" dev=sockfs ino=64405 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:piranha_lvs_t:s0 tclass=rawip_socket
Comment 19 Miroslav Grepl 2010-07-22 05:28:33 EDT
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 23 Miroslav Grepl 2010-10-14 04:41:24 EDT
Fixed in selinux-policy-2.4.6-287.el5.noarch
Comment 29 Miroslav Grepl 2010-11-30 04:31:25 EST
Fixed in selinux-policy-2.4.6-296.el5
Comment 31 Jaromir Hradilek 2011-01-05 11:14:35 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, SELinux did not support Piranha, a set of miscellaneous tools to administer and configure the Linux Virtual server, as well as heartbeating and failover components. Consequent to this, users of Piranha with SELinux running in the enforcing mode could encounter various issues. With this update, a new SELinux policy for these tools have been added, resolving these issues.
Comment 33 errata-xmlrpc 2011-01-13 16:49:17 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.