719738 – CTDB/Samba fails when selinux is enabled

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 719738 - CTDB/Samba fails when selinux is enabled

Summary: CTDB/Samba fails when selinux is enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	672641 741967
TreeView+	depends on / blocked

Reported:	2011-07-07 20:04 UTC by Abhijith Das
Modified:	2012-09-27 12:06 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-107.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	741967 (view as bug list)
Environment:
Last Closed:	2011-12-06 10:09:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
AVC audit.log (63.24 KB, text/x-log) 2011-07-07 20:04 UTC, Abhijith Das	no flags	Details
Here is the initial policy. (20.00 KB, application/x-gzip) 2011-07-08 11:41 UTC, Daniel Walsh	no flags	Details
audit logs when starting ctdb with initial policy (31.45 KB, application/x-gzip) 2011-07-14 15:18 UTC, Nate Straz	no flags	Details
Updated policy (20.00 KB, application/x-gzip) 2011-07-14 17:28 UTC, Daniel Walsh	no flags	Details
updated logs for updated policy (12.37 KB, application/x-gzip) 2011-07-15 20:17 UTC, Nate Straz	no flags	Details
updated ctdbd.te (2.55 KB, application/octet-stream) 2011-07-20 08:47 UTC, Miroslav Grepl	no flags	Details
New set of audit logs (12.95 KB, application/x-gzip) 2011-07-20 14:28 UTC, Nate Straz	no flags	Details
updated ctdbd policy (2.91 KB, application/octet-stream) 2011-07-21 09:13 UTC, Miroslav Grepl	no flags	Details
Next set of audit logs (4.52 KB, application/x-gzip) 2011-07-21 13:14 UTC, Nate Straz	no flags	Details
Next set of audit logs (6.28 KB, application/x-gzip) 2011-07-28 15:43 UTC, Nate Straz	no flags	Details
Next set of audit logs (2.85 KB, application/x-gzip) 2011-08-04 20:49 UTC, Nate Straz	no flags	Details
Show Obsolete (9) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Abhijith Das 2011-07-07 20:04:57 UTC

Created attachment 511791 [details]
AVC audit.log

When CTDB is set to manage Samba, it encounters 'permission denied' errors while trying to launch smbd. smbd fails and the ctdb cluster cannot export shares etc.

Attached are the AVCs seen in the audit.log file.

Comment 2 Sumit Bose 2011-07-08 07:10:52 UTC

It looks that the SELinux policy does not allow ctdb to set up a public cluster IP address.

The main purpose of ctdb is to manage a cluster-wide tdb database, but additionally it has basic cluster manager functionality like starting the samba deamon and setting up and managing public cluster IP addresses. The latter seems to fail is SELinux is enabled.

Reassigning to selinux-policy.

Comment 3 Daniel Walsh 2011-07-08 11:19:02 UTC

We need to write policy for ctdb in order to allow samba to talk to it.  It also looks like ctdb is leaking an open file descriptor to anon_inodefs

#============= ifconfig_t ==============
allow ifconfig_t anon_inodefs_t:file { read write };

#============= iptables_t ==============
allow iptables_t anon_inodefs_t:file write;


/var/ctdb should be in the payload, although it would  be better if this was in /var/lib?

Comment 4 Daniel Walsh 2011-07-08 11:19:55 UTC

 /var/run/ctdbd should also be in the payload.

Comment 5 Daniel Walsh 2011-07-08 11:41:19 UTC

Created attachment 511918 [details]
Here is the initial policy.

tar xvf /tmp/ctdbd.tgz
cd /tmp/
sh ctdbd.sh
service ctdp restart

And start collecting AVC's

Comment 6 Nate Straz 2011-07-14 15:18:01 UTC

Created attachment 513209 [details]
audit logs when starting ctdb with initial policy

I found one typo in the initial policy in ctdbd.te, %s/ctdpd/ctdbd/g

After fixing that the policy built and installed.  Attached is the new audit logs from starting the service while it manages samba.

Comment 7 Daniel Walsh 2011-07-14 17:28:35 UTC

Created attachment 513226 [details]
Updated policy

Comment 8 Nate Straz 2011-07-15 20:17:49 UTC

Created attachment 513441 [details]
updated logs for updated policy

Comment 9 Miroslav Grepl 2011-07-20 08:00:57 UTC

type=AVC msg=audit(1310760603.538:900): avc:  denied  { read write } for  pid=978 comm="ctdbd" name=".ctdb_socket_lock" dev=dm-0 ino=1831435 scontext=unconfined_u:system_r:ctdbd_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file

If you stop the ctdbd service, will /tmp/.ctdb_socket_lock delete? Since it should be labeled as ctdbd_tmp_t.

Comment 10 Miroslav Grepl 2011-07-20 08:12:31 UTC

We have in the ctdbd.fc

/var/ctdbd(/.*)?                gen_context(system_u:object_r:ctdbd_var_lib_t,s0)

You need to run 

chcon -R -t ctdbd_var_lib_t /var/ctdbd
 
or change it in the ctdbd.fc file and run restorecon -R -v /var/ctdb

Comment 11 Miroslav Grepl 2011-07-20 08:39:43 UTC

Other problem is /mnt/ctdb0 and /mnt/share0. We need to find a label for these location.

Could you explain me what is purpose of these?

Comment 12 Miroslav Grepl 2011-07-20 08:47:07 UTC

Created attachment 513949 [details]
updated ctdbd.te

Updated policy.

Also Nate,
please run

echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
service auditd restart


Will give us full paths.

Comment 13 Nate Straz 2011-07-20 14:00:15 UTC

(In reply to comment #11)
> Other problem is /mnt/ctdb0 and /mnt/share0. We need to find a label for these
> location.
> 
> Could you explain me what is purpose of these?

/mnt/ctdb0 is a GFS2 file system being used for CTDB.
/mnt/share0 is a GFS2 file system being shared by Samba.

Comment 14 Nate Straz 2011-07-20 14:28:14 UTC

Created attachment 514018 [details]
New set of audit logs

I found one syntax error in your updated ctdbd.te

Compiling  ctdbd module
/usr/bin/checkmodule:  loading policy configuration from tmp/ctdbd.tmp
ctdbd.te":21:ERROR 'syntax error' at token 'files_spool_file' on line 4693:
type ctdbd_spool_t;
files_spool_file(ctdbd_spool_t)
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/ctdbd.mod] Error 1

I commented out the files_spool_file line since I don't think ctdb uses a spool directory.  I also fixed the paths in ctdbd.fc to point to /var/ctdb instead of /var/ctdbd.

Here are the updated audit logs with the new ctdbd.te and added auditd options.

Comment 15 Miroslav Grepl 2011-07-21 09:13:53 UTC

Created attachment 514171 [details]
updated ctdbd policy

Ok, could you try to execute

# chcon -R -t samba_share_t /mnt/share0
# chcon -R -t ctdbd_var_lib_t /mnt/ctdb0
# chcon -R -t ctdbd_var_lib_t /etc/ctdb 

and test the updated policy.

You should see only leak file desciptors and samba related AVC msgs.

Comment 16 Nate Straz 2011-07-21 13:14:07 UTC

Created attachment 514200 [details]
Next set of audit logs

Here is the latest set of logs.  I had to comment out the line that contained shorewall_t in ctdbd.te which wasn't defined in my policy.

Comment 17 Miroslav Grepl 2011-07-27 05:55:54 UTC

Great, we are close. Just

allow ctdbd_t tmp_t:file { read write open lock };

/tmp/.ctdb_socket_lock is still mislabeled. Could you remove it and try to restart ctdbd.

Comment 18 Nate Straz 2011-07-28 15:43:36 UTC

Created attachment 515753 [details]
Next set of audit logs

I've rebuilt the systems since last run so I've had to patch together the latest policy.  Can you send a new tarball next time?

Comment 19 Miroslav Grepl 2011-08-01 12:03:44 UTC

I added fixex to F16. I believe the policy is ready for RHEL6 backport.

Comment 20 Miroslav Grepl 2011-08-02 12:34:49 UTC

Fixed in selinux-policy-3.7.19-106.el6

Comment 25 Milos Malik 2011-08-04 09:38:39 UTC

I modified /etc/sysconfig/ctdb in such a way that CTDB_SYSLOG=yes.

----
type=SYSCALL msg=audit(08/04/2011 11:35:44.620:27248) : arch=i386 syscall=socketcall(socket) success=yes exit=20 a0=1 a1=bf9ed460 a2=945d810 a3=945d878 items=0 ppid=1 pid=10698 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=ctdbd exe=/usr/sbin/ctdbd subj=unconfined_u:system_r:ctdbd_t:s0 key=(null) 
type=AVC msg=audit(08/04/2011 11:35:44.620:27248) : avc:  denied  { create } for  pid=10698 comm=ctdbd scontext=unconfined_u:system_r:ctdbd_t:s0 tcontext=unconfined_u:system_r:ctdbd_t:s0 tclass=udp_socket 
----
type=SYSCALL msg=audit(08/04/2011 11:35:44.622:27249) : arch=i386 syscall=socketcall(sendto) success=yes exit=54 a0=b a1=bf9ed460 a2=945d810 a3=14 items=0 ppid=1 pid=10698 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=ctdbd exe=/usr/sbin/ctdbd subj=unconfined_u:system_r:ctdbd_t:s0 key=(null) 
type=AVC msg=audit(08/04/2011 11:35:44.622:27249) : avc:  denied  { write } for  pid=10698 comm=ctdbd scontext=unconfined_u:system_r:ctdbd_t:s0 tcontext=unconfined_u:system_r:ctdbd_t:s0 tclass=udp_socket 
----
type=SYSCALL msg=audit(08/04/2011 11:35:44.628:27250) : arch=i386 syscall=socketcall(bind) success=yes exit=0 a0=2 a1=bf9ed4f0 a2=945d800 a3=945a498 items=0 ppid=10698 pid=10741 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=ctdbd exe=/usr/sbin/ctdbd subj=unconfined_u:system_r:ctdbd_t:s0 key=(null) 
type=AVC msg=audit(08/04/2011 11:35:44.628:27250) : avc:  denied  { node_bind } for  pid=10741 comm=ctdbd saddr=127.0.0.1 src=4379 scontext=unconfined_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket 
type=AVC msg=audit(08/04/2011 11:35:44.628:27250) : avc:  denied  { name_bind } for  pid=10741 comm=ctdbd src=4379 scontext=unconfined_u:system_r:ctdbd_t:s0 tcontext=system_u:object_r:ctdb_port_t:s0 tclass=udp_socket 
type=AVC msg=audit(08/04/2011 11:35:44.628:27250) : avc:  denied  { bind } for  pid=10741 comm=ctdbd scontext=unconfined_u:system_r:ctdbd_t:s0 tcontext=unconfined_u:system_r:ctdbd_t:s0 tclass=udp_socket 
----
type=SYSCALL msg=audit(08/04/2011 11:35:44.729:27251) : arch=i386 syscall=socketcall(recv) success=yes exit=73 a0=a a1=bf9dd3e0 a2=bf9ed43c a3=0 items=0 ppid=10698 pid=10741 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=ctdbd exe=/usr/sbin/ctdbd subj=unconfined_u:system_r:ctdbd_t:s0 key=(null) 
type=AVC msg=audit(08/04/2011 11:35:44.729:27251) : avc:  denied  { read } for  pid=10741 comm=ctdbd laddr=127.0.0.1 lport=4379 scontext=unconfined_u:system_r:ctdbd_t:s0 tcontext=unconfined_u:system_r:ctdbd_t:s0 tclass=udp_socket 
----

Comment 28 Nate Straz 2011-08-04 20:49:56 UTC

Created attachment 516789 [details]
Next set of audit logs

Latest set of audit logs from `service ctdb start` with samba managed by ctdb.  
Running selinux-policy-3.7.19-106.el6

Comment 29 Miroslav Grepl 2011-08-05 06:53:01 UTC

I am fixing

allow ctdbd_t ctdb_port_t:tcp_socket name_connect;
allow smbd_t ctdbd_tmp_t:sock_file { write getattr };


But still remains some issues which needs to be fixed in ctdbd package

#672641

Comment 30 Miroslav Grepl 2011-08-10 15:09:01 UTC

Fixed in selinux-policy-3.7.19-107.el6

Comment 32 Nate Straz 2011-08-17 15:52:40 UTC

I can't find the ctdb types in the latest selinux-policy package.

[root@dash-03 targeted]# rpm -q selinux-policy
selinux-policy-3.7.19-107.el6.noarch
[root@dash-03 targeted]# seinfo -t | grep ctdb
[root@dash-03 targeted]#

Comment 33 Miroslav Grepl 2011-08-19 18:22:25 UTC

I see

# seinfo -t | grep ctdb
   ctdbd_var_lib_t
   ctdbd_var_run_t
   ctdbd_initrc_exec_t
   ctdbd_exec_t
   ctdbd_log_t
   ctdb_client_packet_t
   ctdbd_t
   ctdb_port_t
   ctdbd_tmp_t
   ctdbd_spool_t
   ctdb_server_packet_t

# semodule -l |grep ctdb
ctdbd	1.0.0

# seinfo -xaunconfined_domain_type |grep ctdbd
ctdbd_t

# rpm -qa *selinux-policy*
selinux-policy-targeted-3.7.19-107.el6.noarch
selinux-policy-minimum-3.7.19-107.el6.noarch
selinux-policy-doc-3.7.19-107.el6.noarch
selinux-policy-3.7.19-107.el6.noarch
selinux-policy-mls-3.7.19-107.el6.noarch

Could you try to reinstall the policy and make sure nothing blows up.

Comment 34 Nate Straz 2011-08-19 18:55:14 UTC

It appears to be a problem with the qarshd policy.  When including "qemu_domtrans_unconfined(qarshd)" it causes the policy load to fail.

Running Transaction
  Updating   : selinux-policy-3.7.19-107.el6.noarch                                                  1/4
  Updating   : selinux-policy-targeted-3.7.19-107.el6.noarch                                         2/4
libsepol.print_missing_requirements: qarshd's global requirements were not met: type/attribute unconfined_qemu_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
  Cleanup    : selinux-policy-targeted-3.7.19-106.el6.noarch                                         3/4
  Cleanup    : selinux-policy-3.7.19-106.el6.noarch                                                  4/4
Installed products updated.

After filtering out that domtrans I'm back in business.

FYI, there are currently 35 domtrans rules I need to filter out in order for the qarshd policy to load.  Should I file bugs for these?

Comment 35 Miroslav Grepl 2011-08-19 21:10:52 UTC

Fill a new bug please. Thanks.

Comment 36 Daniel Walsh 2011-08-20 10:42:12 UTC

What is qarshd?  Why is it running unconfined virtual machines?  Does it work with svirt/libvirt?

Comment 37 Miroslav Grepl 2011-08-22 11:18:28 UTC

I removed 

qemu_domtrans_unconfined()


AFAIK they try to include all domtrans interfaces into qarshd policy to make sure all these interfaces are correct.


This issue is also covered by SEWatch tool which tries to compile/load all interfaces. I just need to clean up a script which does these tests.

Comment 38 Nate Straz 2011-08-22 14:12:22 UTC

qarshd is the server part of our QA remote shell.  It was written to be more transparent than ssh for testing purposes.  When adding SELinux support we decided to auto-generate the policy so we wouldn't have to edit the policy ever time we start using it to test something new.

As a side effect of auto-generating the policy we find that some of the domtrans interfaces don't work and need to be filtered out to get a working policy.

Comment 39 Daniel Walsh 2011-08-22 14:28:45 UTC

Ok nice feature...

Comment 41 Nate Straz 2011-09-28 14:51:43 UTC

I found another command that doesn't work when selinux is enabled with clustering on in samba.  smbcontrol needs access to ctdb.socket.


type=AVC msg=audit(1317220776.455:50562): avc:  denied  { write } for  pid=11780 comm="smbcontrol" name="ctdb.socket" dev=dm-0 ino=1831426 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ctdbd_tmp_t:s0 tclass=sock_file

Comment 42 Daniel Walsh 2011-09-28 15:33:42 UTC

That is a different bug.

Miroslav lets add

optional_policy(`
	ctdbd_stream_connect(smbcontrol_t)
')

I think the rest of the bug reported here is fixed in the latest RHEL6 policy?

Comment 43 Nate Straz 2011-09-28 15:55:19 UTC

I cloned off the new AVC to a new bug.  Moving back to VERIFIED.

Comment 44 errata-xmlrpc 2011-12-06 10:09:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.