633901 – cmirror triggers AVC denials in RHEL5.5

Bug 633901 - cmirror triggers AVC denials in RHEL5.5

Summary: cmirror triggers AVC denials in RHEL5.5

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Keywords:	ZStream
Depends On:
Blocks:	644821
TreeView+	depends on / blocked

Reported:	2010-09-14 15:57 UTC by Jonathan Earl Brassow
Modified:	2012-10-16 11:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit) Due to an incorrect SELinux policy, the aisexec service was unable to use shared memory segments as an unprivileged user. This error has been fixed, the relevant SELinux policy has been corrected, and aisexec now works as expected. Due to an incorrect SELinux policy, the aisexec service was unable to use shared memory segments as an unprivileged user. This error has been fixed, the relevant SELinux policy has been corrected, and aisexec now works as expected.
Clone Of:
Environment:	(edit)
Last Closed:	2011-01-13 21:50:25 UTC
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0026	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-01-12 16:11:15 UTC

Description Jonathan Earl Brassow 2010-09-14 15:57:21 UTC

openAIS versions tried:
openais-0.80.6-16.el5
openais-0.80.6-27.el5

'clogd' - the cluster log daemon used by cluster mirrors - makes use of openAIS checkpoints when starting up.  Before a node joins a CPG (which will cause existing nodes to send a checkpoint), it attempts to remove any stale checkpoints that may be left over from previous sessions.  It does this using the following logic:

1) open checkpoint
2) open failed because checkpoint doesn't exist?  Done.
3) checkpoint exists - unlink checkpoint
4) close checkpoint

Sometimes (most times), there may not be a residual checkpoint.

'clogd' is stuck indefinitely in saCkptCheckpointOpen (step 1 above).  Here is the backtrace from GDB:

#0  0x0000003348ad517a in semtimedop () from /lib64/libc.so.6
#1  0x0000003178c01bfc in ipc_sem_wait (ipc_context=0x14f3d110, iov=<value optimized out>,
    iov_len=<value optimized out>, res_msg=0x7fff7e9c7470, res_len=32) at util.c:490
#2  openais_reply_receive (ipc_context=0x14f3d110, iov=<value optimized out>,
    iov_len=<value optimized out>, res_msg=0x7fff7e9c7470, res_len=32) at util.c:681
#3  openais_msg_send_reply_receive (ipc_context=0x14f3d110, iov=<value optimized out>,
    iov_len=<value optimized out>, res_msg=0x7fff7e9c7470, res_len=32) at util.c:720
#4  0x00000031790037a2 in saCkptCheckpointOpen (ckptHandle=7749363892505018368,
    checkpointName=0x7fff7e9c78d0, checkpointCreationAttributes=0x0,
    checkpointOpenFlags=1, timeout=<value optimized out>, checkpointHandle=0x7fff7e9c78c8)
    at ckpt.c:620
#5  0x000000000041ada6 in remove_checkpoint (entry=0x14f3fee0) at cluster.c:1455
#6  0x000000000041bca9 in create_cluster_cpg (
    uuid=0x6385d4 "LVM-fHV1NOvCOdTcZMTYYlGPyob3LCkjCRNyKDWk4ORfIjMfpLdmK8qM7Wn0vaJ5qJ00",
    uuid_instance=1) at cluster.c:1519
#7  0x0000000000424428 in local_resume (tfr=0x6385c4) at functions.c:882
#8  0x000000000042ac66 in do_local_work (data=0x0) at local.c:232
#9  0x00000000004298ee in links_issue_callbacks () at link_mon.c:134
#10 0x0000000000401fbc in main (argc=1, argv=0x7fff7e9c8098) at clogd.c:51

Cluster mirrors cannot be started or tested because of this condition.

Comment 1 Steven Dake 2010-09-14 17:16:25 UTC

Jon used repository version as well as version cmirror-1.1.39-10.el5 (which is 5.6 version).  RHEL5.5 cmirrord was functional.  Note openais-0.80.6-16.el5 is the RHEL5.5 version, which appears to fail with RHEL5.5 openais.

Comment 2 Steven Dake 2010-09-14 18:54:37 UTC

type=AVC msg=audit(1284489475.292:38): avc:  denied  { unix_read unix_write } for  pid=7402 comm="aisexec" key=1714636915 scontext=root:system_r:aisexec_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
type=SYSCALL msg=audit(1284489475.292:38): arch=c000003e syscall=29 success=no exit=-13 a0=66334873 a1=2dc6c8 a2=180 a3=100 items=0 ppid=1 pid=7402 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="aisexec" exe="/usr/sbin/aisexec" subj=root:system_r:aisexec_t:s0 key=(null)
type=AVC msg=audit(1284489475.292:39): avc:  denied  { unix_read unix_write } for  pid=7402 comm="aisexec" key=1957747793 scontext=root:system_r:aisexec_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=sem

Comment 3 Steven Dake 2010-09-14 18:55:23 UTC

Dan,

Is it possible to do the removal of the openais boolean as was done in corosync, or does this require a different solution?

Regards
-steve

Comment 5 Daniel Walsh 2010-09-14 20:08:11 UTC

No this is a different problem.  Miroslav I think we should just allow this.

We allow it in RHEL6.

 sesearch -A -s aisexec_t -t unconfined_t -c shm
Found 1 semantic av rules:
   allow aisexec_t unpriv_userdomain : shm { getattr read write associate unix_read unix_write lock } ;

Comment 8 Miroslav Grepl 2010-09-21 09:06:52 UTC

Fixed in selinux-policy-2.4.6-284.el5.

Comment 9 Miroslav Grepl 2010-09-23 13:54:37 UTC

# cat > myaisexec.te << _EOF

policy_module(myaisexec, 1.0)

require{
 type aisexec_t;
 type unconfined_t;
}

allow aisexec_t unconfined_t:shm create_shm_perms;
allow aisexec_t unconfined_t:shm rw_shm_perms;
_EOF

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myaisexec.pp

Comment 10 Steven Dake 2010-09-23 16:26:12 UTC

needinfo is set for sdake, but no questions are asked.

Comment 13 Steven Dake 2010-09-24 20:08:46 UTC

does the workaround in comment #9 persist through reboots?  If not, what is recommended procedure to enable that?

Thanks

Comment 16 Jaromir Hradilek 2010-11-04 11:02:47 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to incorrect SELinux policy, cmirror was unable to start properly, and as a result, cluster mirrors could not be started at all. This error has been fixed, and SELinux no longer prevents cluster mirrors from being started.

Comment 18 Jaromir Hradilek 2011-01-05 16:20:22 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-Due to incorrect SELinux policy, cmirror was unable to start properly, and as a result, cluster mirrors could not be started at all. This error has been fixed, and SELinux no longer prevents cluster mirrors from being started.+Due to an incorrect SELinux policy, the aisexec service was unable to use shared memory segments as an unprivileged user. This error has been fixed, the relevant SELinux policy has been corrected, and aisexec now works as expected.

Comment 20 errata-xmlrpc 2011-01-13 21:50:25 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.