This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 678496 - ipvsadm pulse and selinux don't play well
ipvsadm pulse and selinux don't play well
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-18 04:21 EST by Stuart Auchterlonie
Modified: 2012-09-21 04:32 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-303.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:19:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
selinux info for starting ipvsadm to sync data. (97.34 KB, application/x-gzip)
2011-03-11 06:06 EST, Stuart Auchterlonie
no flags Details
selinux info for attempting to bring up a failover service (vsftpd) (1.21 MB, application/x-gzip)
2011-03-11 06:13 EST, Stuart Auchterlonie
no flags Details

  None (edit)
Description Stuart Auchterlonie 2011-02-18 04:21:07 EST
Description of problem:

There appears to be a lack of selinux policy relating
to pulse and ipvsadm in general. 

Version-Release number of selected component (if applicable):

piranha-0.8.4-7.el5
ipvsadm-1.24-8.1
selinux-policy-targeted-2.4.6-300.el5

How reproducible:

Always.


Steps to Reproduce:

Scenario 1:
1. Configure a failover service as follows
   a. 2 servers
   b. vsftpd is the service to failover
   c. a virtual ip address for vsftpd to use.
2. attempt to start pulse


After making some local selinux policies with
audit2allow to get the service to start, it appears
that when vsftpd is started by pulse it inherits
the system_u:system_r:piranha_pulse_t context
and therefore violates existing ftpd policy.


Scenario 2:
Configure ipvsadm with the following in
/etc/sysconfig/ipvsadm

{{{
--start-daemon=backup --mcast-interface=eth1
--start-daemon=master --mcast-interface=eth1
}}}

When attempting to start ipvsadm repeated
selinux denials are seen.



Actual results:

observe repeated selinux denials.



Expected results:

Failover service should startup without selinux denials.

Additional info:
Comment 1 Miroslav Grepl 2011-03-04 08:53:05 EST
Stuart,
could please attach your local policies and also AVC msgs related to this issue.

Thank you.
Comment 2 Stuart Auchterlonie 2011-03-11 06:06:33 EST
Created attachment 483684 [details]
selinux info for starting ipvsadm to sync data.

This contains 3 sets of files.

ipvsadm.* - These relate to trying to start ipvsadm. The configuration is
in "Scenario 2" in the ticket.

pulse.* - These relate to pulse trying to startup and bring up virtual ip's
of various services

nc.* - These relate to our use of nc in a custom health check script.
nc is used to connect to the port and see if something is listening.
This probably isn't required in the base package.
Comment 3 Stuart Auchterlonie 2011-03-11 06:13:00 EST
Created attachment 483686 [details]
selinux info for attempting to bring up a failover service (vsftpd)

pulsefos.* - Files relating to attempting to start pulse with a fos configuration.

pulsepidof.* - Files relating to pulse's use of pidof

vsftpdpulse.* - Files relating to pulse attempting to start vsftpd.

vsftpd.* - Files relating to vsftpd running under the piranha_pulse_t
context when started from pulse.

The policies include are generated by audit2allow. As such they
include far more than i'm happy with, especially in pulsefos.*

Regards
Stuart
Comment 4 Miroslav Grepl 2011-03-11 07:52:20 EST
Stuart,
really thanks.

It looks like pulse will end up with the similar policy which we have for rgmanager. 

If I understand correctly, pulse can run various services to failover.
Comment 5 Stuart Auchterlonie 2011-03-11 09:09:36 EST
Pulse can be used in two different modes.

LVS mode where it configures and maintains LVS mapping tables
based on the availability of the worker nodes.

FOS mode where it is used to failover a service between two nodes.

There is plenty of documentation on redhats website :)

Regards
Stuart
Comment 6 Miroslav Grepl 2011-03-11 09:30:07 EST
Yes, I have checked it.
Comment 7 Miroslav Grepl 2011-03-11 11:24:53 EST
I added fixes to selinux-policy-2.4.6-303.el5 which is available on

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 10 errata-xmlrpc 2011-07-21 05:19:47 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 11 errata-xmlrpc 2011-07-21 07:56:08 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.