Bug 722429 - Problem with SELinux and the script resource agent
Summary: Problem with SELinux and the script resource agent
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-15 10:34 UTC by Tomas Edwardsson
Modified: 2011-12-06 10:09 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-104.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:09:26 UTC
Target Upstream Version:

Attachments (Terms of Use)
script (455 bytes, application/octet-stream)
2011-07-15 10:35 UTC, Tomas Edwardsson 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Tomas Edwardsson 2011-07-15 10:34:23 UTC 
Description of problem:
Services started with rgmanager are running in the wrong context. At least when run through custom scripts.

Version-Release number of selected component (if applicable):
resource-agents-3.0.12-22.el6.x86_64
rgmanager-3.0.12-11.el6.x86_64

How reproducible:
Put a script in /usr/local/bin/rsyslog-restart.sh (attached).
Stop and start the service.
  
Actual results:
# ps -efZ |grep rsysl
system_u:system_r:rgmanager_t:s0 root    17856     1  0 10:28 ?        00:00:00 /sbin/rsyslogd -c 4

Expected results:
unconfined_u:system_r:syslogd_t:s0 root  21498     1  0 10:15 ?        00:00:01 /sbin/rsyslogd -c 4


Additional info:
This causes all sorts of problems, for one postfix is not able to log through the /dev/log socket.
Comment 1 Tomas Edwardsson 2011-07-15 10:35:08 UTC 
Created attachment 513354 [details]
script
Comment 3 Jaroslav Kortus 2011-07-15 12:58:36 UTC 
Hello Tomas,

the context seems right to me. We do not transition services started via rgmanager into any other context. Rgmanager's context here is close to uconfined_t (i.e. can do almost anything).

It is this way because the clustered service configuration usually differs significantly to the one on single node. As this is very customer-dependent we do not define any restriction in this regard.

To achieve your goal, you'd have to create your own policy with the transition defined (rgmanager_t -> syslogd_t) or use runcon.

If you are interested in policy building and mass-transitions, I'd suggest looking at http://nstraz.wordpress.com/tag/qarsh/ where the selinux policy is built as part of the package and it uses all available interfaces for transition.

For your case this would mean including something like:
logging_domtrans_syslog(rgmanager_t)
in your own policy.
See the interface definition in /usr/share/selinux/devel/include/system/logging.if

If you would like to report any AVC denials, please include selinux-policy package version and the actual denial (ausearch -m AVC).

Hope this helps.
Comment 4 Jaroslav Kortus 2011-07-15 14:33:33 UTC 
I have to correct myself a bit here.

rgmanager_t does indeed couple of transitions automatically.

rough list:
$ sesearch --type -s rgmanager_t  | grep exec_t
   type_transition rgmanager_t abrt_helper_exec_t : process abrt_helper_t; 
   type_transition rgmanager_t ping_exec_t : process ping_t; 
   type_transition rgmanager_t netutils_exec_t : process netutils_t; 
   type_transition rgmanager_t httpd_exec_t : process httpd_t; 
   type_transition rgmanager_t ifconfig_exec_t : process ifconfig_t; 
   type_transition rgmanager_t nfsd_exec_t : process nfsd_t; 
   type_transition rgmanager_t samba_initrc_exec_t : process initrc_t; 
   type_transition rgmanager_t postgresql_exec_t : process postgresql_t; 
   type_transition rgmanager_t rpcd_exec_t : process rpcd_t; 
   type_transition rgmanager_t sepgsql_db_t : db_procedure sepgsql_proc_exec_t; 
   type_transition rgmanager_t rpcd_initrc_exec_t : process initrc_t; 
   type_transition rgmanager_t mount_exec_t : process mount_t; 
   type_transition rgmanager_t fsadm_exec_t : process fsadm_t; 
   type_transition rgmanager_t fusermount_exec_t : process mount_t; 
   type_transition rgmanager_t slapd_exec_t : process slapd_t; 
   type_transition rgmanager_t xm_exec_t : process xm_t; 
   type_transition rgmanager_t slapd_initrc_exec_t : process initrc_t; 
   type_transition rgmanager_t sepgsql_schema_t : db_procedure sepgsql_proc_exec_t; 
   type_transition rgmanager_t unpriv_sepgsql_schema_t : db_procedure sepgsql_proc_exec_t; 
   type_transition rgmanager_t smbd_exec_t : process smbd_t; 
   type_transition rgmanager_t mysqld_safe_exec_t : process mysqld_safe_t; 
   type_transition rgmanager_t user_sepgsql_schema_t : db_procedure sepgsql_proc_exec_t; 
   type_transition rgmanager_t nmbd_exec_t : process nmbd_t; 
   type_transition rgmanager_t nfsd_initrc_exec_t : process initrc_t; 
   type_transition rgmanager_t lvm_exec_t : process lvm_t; 


So in some cases it is restricted (samba, httpd, mysqld,...) and rgmanager_t remains there if no transition is specified (and the service is very little restricted).

We might possibly add transtition for some others (or initrc_exec_t in general), but I'll let our selinux folks comment on that. 

As this is not a cluster bug rather than selinux-policy one I'll reassign this as well.
Comment 5 Daniel Walsh 2011-07-15 17:47:37 UTC 
That seems reasonable to execute them in initrc_t.
Comment 6 Miroslav Grepl 2011-07-20 10:08:02 UTC 
Fixed in selinux-policy-3.7.19-104.el6
Comment 9 errata-xmlrpc 2011-12-06 10:09:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html
Note You need to log in before you can comment on or make changes to this bug.