588680 – openais-cfgtool hangs in RHEL 5.5 when SELinux is enabled

Bug 588680 - openais-cfgtool hangs in RHEL 5.5 when SELinux is enabled

Summary: openais-cfgtool hangs in RHEL 5.5 when SELinux is enabled

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-05-04 09:30 UTC by Tomas Smetana
Modified:	2018-11-14 17:04 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-23 16:41:49 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
The AVC messages (11.14 KB, text/plain) 2010-05-04 09:31 UTC, Tomas Smetana	no flags	Details
The AVC messages after re-label and restarting the services (3.61 KB, text/plain) 2010-05-13 10:45 UTC, Tomas Smetana	no flags	Details
View All

Description Tomas Smetana 2010-05-04 09:30:18 UTC

Description of problem:
The command "openais-cfgtool -s" hangs after the message "Printing ring status." on an system with SELinux set to enforcing.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-279.el5
selinux-policy-targeted-2.4.6-279.el5

How reproducible:
Always

Steps to Reproduce:
1. openais-cfgtool -s
  
Actual results:
openais-cfgtool hangs and AVC messages appear in the audit log

Expected results:
no hang, no AVC messages

Additional info:

Comment 1 Tomas Smetana 2010-05-04 09:31:10 UTC

Created attachment 411232 [details]
The AVC messages

Comment 2 Daniel Walsh 2010-05-04 17:39:21 UTC

Miroslav

Add

userdom_rw_semaphores(aisexec_t)
userdom_rw_unpriv_user_shared_mem(aisexec_t)

Tomas, what process is running as initrc_t?

ps -eZ | grep initrc_t

Comment 3 Tomas Smetana 2010-05-10 08:25:40 UTC

(In reply to comment #2)

[root@server1 ~]# ps -eZ | grep initrc_t
system_u:system_r:initrc_t       5972 ?        00:00:27 qdiskd
system_u:system_r:initrc_t       5981 ?        00:00:00 groupd
system_u:system_r:initrc_t       5988 ?        00:00:00 fenced
system_u:system_r:initrc_t       5994 ?        00:00:00 dlm_controld
system_u:system_r:initrc_t       6000 ?        00:00:00 gfs_controld
system_u:system_r:initrc_t       6343 ?        00:00:00 osad
system_u:system_r:initrc_t       6566 ?        00:00:00 hpasmlited
system_u:system_r:initrc_t       6628 ?        00:00:00 rhnsd
system_u:system_r:initrc_t       6982 ?        00:00:00 clurgmgrd
system_u:system_r:initrc_t       6983 ?        00:02:45 clurgmgrd

Comment 4 Miroslav Grepl 2010-05-11 13:50:29 UTC

Tomas,
could you try to run 

# restorecon -R -v /usr/sbin/

and then restart these services. Cluster services shouldn't be running in the initrc domain.

Comment 5 Tomas Smetana 2010-05-13 10:44:53 UTC

Hello,
  yes, there were some mis-labelled binaries there:

[root@server1 ~]# restorecon -Rv /usr/sbin
restorecon reset /usr/sbin/clubufflush context system_u:object_r:sbin_t:s0->system_u:object_r:fsadm_exec_t:s0
restorecon reset /usr/sbin/clurgmgrd context system_u:object_r:sbin_t:s0->system_u:object_r:rgmanager_exec_t:s0
restorecon reset /usr/sbin/qdiskd context system_u:object_r:sbin_t:s0->system_u:object_r:qdiskd_exec_t:s0 

However the restart of the services resulted in the same AVC messages in the logs.

Comment 6 Tomas Smetana 2010-05-13 10:45:48 UTC

Created attachment 413710 [details]
The AVC messages after re-label and restarting the services

Comment 7 Miroslav Grepl 2010-05-21 13:25:36 UTC

Ok,

what process is running as initrc_t now?

ps -eZ | grep initrc_t

Comment 8 Tomas Smetana 2010-05-26 12:04:25 UTC

# ps -eZ | grep initrc_t
system_u:system_r:initrc_t       5943 ?        00:00:00 groupd
system_u:system_r:initrc_t       5950 ?        00:00:00 fenced
system_u:system_r:initrc_t       5956 ?        00:00:00 dlm_controld
system_u:system_r:initrc_t       5962 ?        00:00:00 gfs_controld
system_u:system_r:initrc_t       6306 ?        00:00:01 osad
system_u:system_r:initrc_t       6498 ?        00:00:00 hpasmlited
system_u:system_r:initrc_t       6560 ?        00:00:00 rhnsd

Note You need to log in before you can comment on or make changes to this bug.