Description of problem: With selinux on matahari can not run the heartbeat/pgsql resource. Note: when I turned selinux off all was well. Version-Release number of selected component (if applicable): I am testing on F14, but probably the same on f15+ How reproducible: 100% Steps to Reproduce: 1.use the Resources->invoke() API to start pgsql 2.it will fail with selinux on 3. Actual results: PCMK [info] unpack_rsc_op: Hard error - rsc_a14-2_r_postgresql_start_0 failed with rc=4: Preventing rsc_a14-2_r_postgresql from re-starting on a14-2 PCMK [info] unpack_rsc_op: Processing failed op rsc_a14-2_r_postgresql_start_0 on a14-2: insufficient privileges (4) Expected results: success Additional info: Run from shell (not perfect but doing something) -------------- [root@a14-2 heartbeat]# ./pgsql start pgsql[28640]: INFO: I am root, id:uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pgsql[28640]: INFO: ocf_run su postgres -c cd /var/lib/pgsql/data; test -w /var/lib/pgsql/data pgsql[28640]: INFO: ocf_run su postgres -c cd /var/lib/pgsql/data; test -w /dev/null pgsql[28640]: INFO: ocf_run su postgres -c cd /var/lib/pgsql/data; /usr/bin/pg_ctl -D /var/lib/pgsql/data -l /dev/null start pgsql[28640]: INFO: server starting pgsql[28640]: INFO: PostgreSQL start command sent. pgsql[28640]: INFO: ocf_run su postgres -c cd /var/lib/pgsql/data; kill -s 0 28693 >/dev/null 2>&1 pgsql[28640]: INFO: ocf_run su postgres -c cd /var/lib/pgsql/data; /usr/bin/psql -p 5432 -U postgres template1 -c 'select now();' pgsql[28640]: WARNING: psql: could not connect to server: No such file or directory Is the server running locally and accepting connections on Unix domain socket "/tmp/.s.PGSQL.5432"? pgsql[28640]: WARNING: PostgreSQL template1 isn't running pgsql[28640]: WARNING: Connection error (connection to the server went bad and the session was not interactive) occurred while executing the psql command. pgsql[28640]: DEBUG: PostgreSQL still hasn't started yet. Waiting... pgsql[28640]: INFO: ocf_run su postgres -c cd /var/lib/pgsql/data; kill -s 0 28693 >/dev/null 2>&1 pgsql[28640]: INFO: ocf_run su postgres -c cd /var/lib/pgsql/data; /usr/bin/psql -p 5432 -U postgres template1 -c 'select now();' pgsql[28640]: INFO: PostgreSQL is started. Run from matahari ----------------- Aug 3 20:12:29 a14-2 service[1448]: virtual gboolean SrvAgent::invoke(qmf::AgentSession, qmf::AgentEvent, void*): Calling resources API Aug 3 20:12:29 a14-2 pgsql[28547]: INFO: I am root, id:uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:matahari_serviced_t:s0 Aug 3 20:12:29 a14-2 pgsql[28547]: INFO: ocf_run su postgres -c cd /var/lib/pgsql/data; test -w /var/lib/pgsql/data Aug 3 20:12:29 a14-2 pgsql[28547]: INFO: Password: su: incorrect password Aug 3 20:12:29 a14-2 pgsql[28547]: ERROR: Directory /var/lib/pgsql/data is not writable by postgres This might make sense to you? type=USER_START msg=audit(1312417818.621:2087): user pid=30413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:matahari_serviced_t:s0 msg='op=PAM:session_open acct="postgres" exe="/bin/su" hostname=? addr=? terminal=? res=success' type=CRED_ACQ msg=audit(1312417818.621:2088): user pid=30413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:matahari_serviced_t:s0 msg='op=PAM:setcred acct="postgres" exe="/bin/su" hostname=? addr=? terminal=? res=success' type=CRED_DISP msg=audit(1312417818.624:2089): user pid=30413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:matahari_serviced_t:s0 msg='op=PAM:setcred acct="postgres" exe="/bin/su" hostname=? addr=? terminal=? res=success' type=USER_END msg=audit(1312417818.624:2090): user pid=30413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:matahari_serviced_t:s0 msg='op=PAM:session_close acct="postgres" exe="/bin/su" hostname=? addr=? terminal=? res=success'
Adam, you're our resident selinux expert - could you take a look please?
Angus, Could you see if the following gives you a better indication of the problem? cat /var/log/audit/audit.log | audit2allow -w Thanks, Adam
(In reply to comment #2) > Angus, > > Could you see if the following gives you a better indication of the problem? > > cat /var/log/audit/audit.log | audit2allow -w > > Thanks, > Adam These below look the most obvious, but there are heaps so I will attach the file. type=AVC msg=audit(1312374486.979:175): avc: denied { open } for pid=1667 comm="pgsql" name="su" dev=dm-1 ino=130125 scontext=system_u:system_r:matahari_serviced_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1312374486.979:175): avc: denied { execute_no_trans } for pid=1667 comm="pgsql" path="/bin/su" dev=dm-1 ino=130125 scontext=system_u:system_r:matahari_serviced_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
Created attachment 516801 [details] audit2allow output
Dan, It looks like matahari service isn't giving enough access to all these operations reported in the audit2allow output? Seeing as how matahari-service would actually need basically ulimited execution power I dont really know the best way to approach this issue. Thanks Adam
The AVC's you are reporting are file_t which means no labels are present. Usually this means you added a disk that does not have labels on it. Running restorecon on the disk will fix the labels. The other avc's in the bug report indicate that matahari_serviced is not transitioning domains to their proper context. If matahari_serviced is supposed to start and stop all services, we have to write that policy. Adding the following policy might fix that problem. # ==================== mymatahari.te ========================================== policy_module(mymatahari, 1.0) gen_require(` type matahari_serviced_t; ') init_spec_domtrans_script(matahari_serviced_t) #=============================================================================== make -f /usr/share/selinux/devel/Makefile # semodule -i mymatahari.pp
Angus, Will you test comment #6 and see if the problem persists? If so, make sure to get another audit2allow report. Thanks, Adam
Dan, Not sure audit2allow is the right thing to do here. matahari-qmf-serviced could conceivably need to run any script in /etc/init.d which in turn could need to run any binary on the system, it would be analogous to trying to come up with a policy for /sbin/init. Is there any way to run this daemon unconstrained? I can't think of any other path forward that makes sense.
init_spec_domtrans_script(matahari_serviced_t) Will allow it to run any script within the init directory but more important then running matahari-qmf-serviced as an unconfined domain is to make sure that all confined applications continue to be confined after marahari restarts them. For example if matahari-qmf-serviced was to restart apache we want the apache to be running as httpd_t not matahari_serviced_t. selinux-policy-3.10.0-18.fc16 Will have the policy described above.
I am adding it to RHEL6/F15/F14
Angus, Can you test the latest selinux-policy to see if the problem persists? Thanks, Adam
-18 appears broken just as -46 and -52 does.
This seems to be a duplicate of 749682
Angus, can you retest with the selinux policy package that is listed in: https://bugzilla.redhat.com/show_bug.cgi?id=749682#c9 as dwalsh thinks that this new selinux package should fix the issue
Closing since Angus hasn't complained about this in nearly two months. Angus, please reopen if you're still having issues.