Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 722429

Summary: Problem with SELinux and the script resource agent
Product: Red Hat Enterprise Linux 6 Reporter: Tomas Edwardsson <tommi>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 6.1CC: agk, cluster-maint, dwalsh, jkortus, lhh, mmalik, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-104.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:09:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
script none

Description Tomas Edwardsson 2011-07-15 10:34:23 UTC 
Description of problem:
Services started with rgmanager are running in the wrong context. At least when run through custom scripts.

Version-Release number of selected component (if applicable):
resource-agents-3.0.12-22.el6.x86_64
rgmanager-3.0.12-11.el6.x86_64

How reproducible:
Put a script in /usr/local/bin/rsyslog-restart.sh (attached).
Stop and start the service.
  
Actual results:
# ps -efZ |grep rsysl
system_u:system_r:rgmanager_t:s0 root    17856     1  0 10:28 ?        00:00:00 /sbin/rsyslogd -c 4

Expected results:
unconfined_u:system_r:syslogd_t:s0 root  21498     1  0 10:15 ?        00:00:01 /sbin/rsyslogd -c 4


Additional info:
This causes all sorts of problems, for one postfix is not able to log through the /dev/log socket.
Comment 1 Tomas Edwardsson 2011-07-15 10:35:08 UTC 
Created attachment 513354 [details]
script
Comment 3 Jaroslav Kortus 2011-07-15 12:58:36 UTC 
Hello Tomas,

the context seems right to me. We do not transition services started via rgmanager into any other context. Rgmanager's context here is close to uconfined_t (i.e. can do almost anything).

It is this way because the clustered service configuration usually differs significantly to the one on single node. As this is very customer-dependent we do not define any restriction in this regard.

To achieve your goal, you'd have to create your own policy with the transition defined (rgmanager_t -> syslogd_t) or use runcon.

If you are interested in policy building and mass-transitions, I'd suggest looking at http://nstraz.wordpress.com/tag/qarsh/ where the selinux policy is built as part of the package and it uses all available interfaces for transition.

For your case this would mean including something like:
logging_domtrans_syslog(rgmanager_t)
in your own policy.
See the interface definition in /usr/share/selinux/devel/include/system/logging.if

If you would like to report any AVC denials, please include selinux-policy package version and the actual denial (ausearch -m AVC).

Hope this helps.
Comment 4 Jaroslav Kortus 2011-07-15 14:33:33 UTC 
I have to correct myself a bit here.

rgmanager_t does indeed couple of transitions automatically.

rough list:
$ sesearch --type -s rgmanager_t  | grep exec_t
   type_transition rgmanager_t abrt_helper_exec_t : process abrt_helper_t; 
   type_transition rgmanager_t ping_exec_t : process ping_t; 
   type_transition rgmanager_t netutils_exec_t : process netutils_t; 
   type_transition rgmanager_t httpd_exec_t : process httpd_t; 
   type_transition rgmanager_t ifconfig_exec_t : process ifconfig_t; 
   type_transition rgmanager_t nfsd_exec_t : process nfsd_t; 
   type_transition rgmanager_t samba_initrc_exec_t : process initrc_t; 
   type_transition rgmanager_t postgresql_exec_t : process postgresql_t; 
   type_transition rgmanager_t rpcd_exec_t : process rpcd_t; 
   type_transition rgmanager_t sepgsql_db_t : db_procedure sepgsql_proc_exec_t; 
   type_transition rgmanager_t rpcd_initrc_exec_t : process initrc_t; 
   type_transition rgmanager_t mount_exec_t : process mount_t; 
   type_transition rgmanager_t fsadm_exec_t : process fsadm_t; 
   type_transition rgmanager_t fusermount_exec_t : process mount_t; 
   type_transition rgmanager_t slapd_exec_t : process slapd_t; 
   type_transition rgmanager_t xm_exec_t : process xm_t; 
   type_transition rgmanager_t slapd_initrc_exec_t : process initrc_t; 
   type_transition rgmanager_t sepgsql_schema_t : db_procedure sepgsql_proc_exec_t; 
   type_transition rgmanager_t unpriv_sepgsql_schema_t : db_procedure sepgsql_proc_exec_t; 
   type_transition rgmanager_t smbd_exec_t : process smbd_t; 
   type_transition rgmanager_t mysqld_safe_exec_t : process mysqld_safe_t; 
   type_transition rgmanager_t user_sepgsql_schema_t : db_procedure sepgsql_proc_exec_t; 
   type_transition rgmanager_t nmbd_exec_t : process nmbd_t; 
   type_transition rgmanager_t nfsd_initrc_exec_t : process initrc_t; 
   type_transition rgmanager_t lvm_exec_t : process lvm_t; 


So in some cases it is restricted (samba, httpd, mysqld,...) and rgmanager_t remains there if no transition is specified (and the service is very little restricted).

We might possibly add transtition for some others (or initrc_exec_t in general), but I'll let our selinux folks comment on that. 

As this is not a cluster bug rather than selinux-policy one I'll reassign this as well.
Comment 5 Daniel Walsh 2011-07-15 17:47:37 UTC 
That seems reasonable to execute them in initrc_t.
Comment 6 Miroslav Grepl 2011-07-20 10:08:02 UTC 
Fixed in selinux-policy-3.7.19-104.el6
Comment 9 errata-xmlrpc 2011-12-06 10:09:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html