733337 – cluster tools cause AVCs

Bug 733337 - cluster tools cause AVCs

Summary: cluster tools cause AVCs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	733513 733656 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-25 13:56 UTC by Milos Malik
Modified:	2012-11-23 21:07 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-109.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:13:31 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Milos Malik 2011-08-25 13:56:32 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-108.el6.noarch
selinux-policy-minimum-3.7.19-108.el6.noarch
selinux-policy-mls-3.7.19-108.el6.noarch
selinux-policy-3.7.19-108.el6.noarch
selinux-policy-doc-3.7.19-108.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. get a fresh RHEL-6.2 machine
2. run /CoreOS/selinux-policy/Regression/bz271561-corosync-and-similar
  
Actual results:
----
type=SYSCALL msg=audit(08/25/2011 15:44:56.906:26312) : arch=i386 syscall=access success=no exit=-13(Permission denied) a0=9d95674 a1=1 a2=bfa0d074 a3=ffffff9c items=0 ppid=28005 pid=28006 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=find exe=/bin/find subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:56.906:26312) : avc:  denied  { execute } for  pid=28006 comm=find name=SAPDatabase dev=dm-0 ino=158424 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:56.908:26313) : arch=i386 syscall=access success=no exit=-13(Permission denied) a0=9d95a9c a1=1 a2=bfa0d074 a3=ffffff9c items=0 ppid=28005 pid=28006 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=find exe=/bin/find subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:56.908:26313) : avc:  denied  { execute } for  pid=28006 comm=find name=checkquorum dev=dm-0 ino=147727 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:56.908:26314) : arch=i386 syscall=access success=no exit=-13(Permission denied) a0=9d96474 a1=1 a2=bfa0d074 a3=ffffff9c items=0 ppid=28005 pid=28006 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=find exe=/bin/find subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:56.908:26314) : avc:  denied  { execute } for  pid=28006 comm=find name=fence_scsi_check.pl dev=dm-0 ino=142731 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:56.908:26315) : arch=i386 syscall=access success=no exit=-13(Permission denied) a0=9d96ac4 a1=1 a2=bfa0d074 a3=ffffff9c items=0 ppid=28005 pid=28006 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=find exe=/bin/find subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:56.908:26315) : avc:  denied  { execute } for  pid=28006 comm=find name=SAPInstance dev=dm-0 ino=158425 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:57.096:26316) : arch=i386 syscall=stat64 success=no exit=-13(Permission denied) a0=bfde0dfd a1=86b7ac0 a2=a32ff4 a3=bfde0dfd items=0 ppid=28002 pid=28021 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=ls exe=/bin/ls subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:57.096:26316) : avc:  denied  { getattr } for  pid=28021 comm=ls path=/usr/sbin/fence_node dev=dm-0 ino=36397 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:fenced_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:57.103:26317) : arch=i386 syscall=stat64 success=no exit=-13(Permission denied) a0=bfde0e99 a1=86b7dc0 a2=a32ff4 a3=bfde0e99 items=0 ppid=28002 pid=28021 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=ls exe=/bin/ls subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:57.103:26317) : avc:  denied  { getattr } for  pid=28021 comm=ls path=/usr/sbin/fence_tool dev=dm-0 ino=18509 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:fenced_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:57.316:26318) : arch=i386 syscall=fsetxattr success=no exit=-13(Permission denied) a0=4 a1=bfb1b080 a2=9a90a70 a3=2b items=0 ppid=28002 pid=28037 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=cp exe=/bin/cp subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:57.316:26318) : avc:  denied  { relabelfrom } for  pid=28037 comm=cp name=cluster.rng dev=dm-0 ino=51364 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:57.319:26319) : arch=i386 syscall=fsetxattr success=no exit=-13(Permission denied) a0=4 a1=bfb1b040 a2=9a90b30 a3=2b items=0 ppid=28002 pid=28037 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=cp exe=/bin/cp subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:57.319:26319) : avc:  denied  { relabelfrom } for  pid=28037 comm=cp name=fence_agents.rng.cache dev=dm-0 ino=51365 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:57.320:26320) : arch=i386 syscall=fsetxattr success=no exit=-13(Permission denied) a0=4 a1=bfb1b000 a2=9a90bd0 a3=2b items=0 ppid=28002 pid=28037 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=cp exe=/bin/cp subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:57.320:26320) : avc:  denied  { relabelfrom } for  pid=28037 comm=cp name=fence_agents.rng.hash dev=dm-0 ino=51366 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:57.320:26321) : arch=i386 syscall=fsetxattr success=no exit=-13(Permission denied) a0=4 a1=bfb1afc0 a2=9a90c70 a3=2b items=0 ppid=28002 pid=28037 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=cp exe=/bin/cp subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:57.320:26321) : avc:  denied  { relabelfrom } for  pid=28037 comm=cp name=resources.rng.cache dev=dm-0 ino=51367 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:57.320:26322) : arch=i386 syscall=fsetxattr success=no exit=-13(Permission denied) a0=4 a1=bfb1af80 a2=9a90c70 a3=2b items=0 ppid=28002 pid=28037 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=cp exe=/bin/cp subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:57.320:26322) : avc:  denied  { relabelfrom } for  pid=28037 comm=cp name=resources.rng.hash dev=dm-0 ino=51368 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file 
----
type=SYSCALL msg=audit(08/25/2011 15:44:57.321:26323) : arch=i386 syscall=fsetxattr success=no exit=-13(Permission denied) a0=4 a1=bfb1af50 a2=9a90ad8 a3=2b items=0 ppid=28002 pid=28037 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=11 comm=cp exe=/bin/cp subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(08/25/2011 15:44:57.321:26323) : avc:  denied  { relabelfrom } for  pid=28037 comm=cp name=rng_update.lock dev=dm-0 ino=51369 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file 
----

Expected results:
* no AVCs

Comment 1 Miroslav Grepl 2011-08-25 14:04:31 UTC

Milos,
 could you add to your tests

# echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
# service auditd restart

then we will get full paths.

Comment 2 Miroslav Grepl 2011-08-25 14:06:34 UTC

Also please add AVC in permissive mode.

# chcon -t bin_t PATHO/$cluster_tool_directory/$tools

Comment 3 Milos Malik 2011-08-26 12:09:29 UTC

comment#1 advice applied:
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.529:212): item=0 name="fence_scsi_check.pl" inode=1184341 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0
type=CWD msg=audit(1314360267.529:212):  cwd="/usr/share/cluster"
type=SYSCALL msg=audit(1314360267.529:212): arch=c000003e syscall=21 success=no exit=-13 a0=1ddab68 a1=1 a2=7fff0c26a6b0 a3=100 items=1 ppid=19844 pid=19845 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="find" exe="/bin/find" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.529:212): avc:  denied  { execute } for  pid=19845 comm="find" name="fence_scsi_check.pl" dev=dm-0 ino=1184341 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.529:213): item=0 name="SAPDatabase" inode=1184359 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0
type=CWD msg=audit(1314360267.529:213):  cwd="/usr/share/cluster"
type=SYSCALL msg=audit(1314360267.529:213): arch=c000003e syscall=21 success=no exit=-13 a0=1ddb9c8 a1=1 a2=7fff0c26a6b0 a3=100 items=1 ppid=19844 pid=19845 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="find" exe="/bin/find" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.529:213): avc:  denied  { execute } for  pid=19845 comm="find" name="SAPDatabase" dev=dm-0 ino=1184359 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.529:214): item=0 name="checkquorum" inode=1184352 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0
type=CWD msg=audit(1314360267.529:214):  cwd="/usr/share/cluster"
type=SYSCALL msg=audit(1314360267.529:214): arch=c000003e syscall=21 success=no exit=-13 a0=1ddc5e8 a1=1 a2=7fff0c26a6b0 a3=100 items=1 ppid=19844 pid=19845 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="find" exe="/bin/find" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.529:214): avc:  denied  { execute } for  pid=19845 comm="find" name="checkquorum" dev=dm-0 ino=1184352 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.529:215): item=0 name="SAPInstance" inode=1184360 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0
type=CWD msg=audit(1314360267.529:215):  cwd="/usr/share/cluster"
type=SYSCALL msg=audit(1314360267.529:215): arch=c000003e syscall=21 success=no exit=-13 a0=1ddc828 a1=1 a2=7fff0c26a6b0 a3=100 items=1 ppid=19844 pid=19845 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="find" exe="/bin/find" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.529:215): avc:  denied  { execute } for  pid=19845 comm="find" name="SAPInstance" dev=dm-0 ino=1184360 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.564:216): item=0 name="/usr/sbin/fence_node" inode=1050123 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:fenced_exec_t:s0
type=CWD msg=audit(1314360267.564:216):  cwd="/"
type=SYSCALL msg=audit(1314360267.564:216): arch=c000003e syscall=4 success=no exit=-13 a0=7fffcc02cdf9 a1=887010 a2=887010 a3=1b items=1 ppid=19841 pid=19860 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ls" exe="/bin/ls" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.564:216): avc:  denied  { getattr } for  pid=19860 comm="ls" path="/usr/sbin/fence_node" dev=dm-0 ino=1050123 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:fenced_exec_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.565:217): item=0 name="/usr/sbin/fence_tool" inode=1060160 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:fenced_exec_t:s0
type=CWD msg=audit(1314360267.565:217):  cwd="/"
type=SYSCALL msg=audit(1314360267.565:217): arch=c000003e syscall=4 success=no exit=-13 a0=7fffcc02ce95 a1=887490 a2=887490 a3=15 items=1 ppid=19841 pid=19860 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ls" exe="/bin/ls" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.565:217): avc:  denied  { getattr } for  pid=19860 comm="ls" path="/usr/sbin/fence_tool" dev=dm-0 ino=1060160 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:fenced_exec_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.614:218): item=0 name=(null) inode=2621702 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360267.614:218): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff47110d30 a2=e81470 a3=2b items=1 ppid=19841 pid=19874 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.614:218): avc:  denied  { relabelfrom } for  pid=19874 comm="cp" name="cluster.rng" dev=dm-0 ino=2621702 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.615:219): item=0 name=(null) inode=2621703 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360267.615:219): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff47110cf0 a2=e814f0 a3=2b items=1 ppid=19841 pid=19874 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.615:219): avc:  denied  { relabelfrom } for  pid=19874 comm="cp" name="fence_agents.rng.cache" dev=dm-0 ino=2621703 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.615:220): item=0 name=(null) inode=2621704 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360267.615:220): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff47110cb0 a2=e78490 a3=2b items=1 ppid=19841 pid=19874 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.615:220): avc:  denied  { relabelfrom } for  pid=19874 comm="cp" name="fence_agents.rng.hash" dev=dm-0 ino=2621704 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.616:221): item=0 name=(null) inode=2621705 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360267.616:221): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff47110c70 a2=e78520 a3=2b items=1 ppid=19841 pid=19874 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.616:221): avc:  denied  { relabelfrom } for  pid=19874 comm="cp" name="resources.rng.cache" dev=dm-0 ino=2621705 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.616:222): item=0 name=(null) inode=2621706 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360267.616:222): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff47110c30 a2=e785d0 a3=2b items=1 ppid=19841 pid=19874 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.616:222): avc:  denied  { relabelfrom } for  pid=19874 comm="cp" name="resources.rng.hash" dev=dm-0 ino=2621706 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:04:27 2011
type=PATH msg=audit(1314360267.616:223): item=0 name=(null) inode=2621707 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360267.616:223): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff47110c00 a2=e78680 a3=2b items=1 ppid=19841 pid=19874 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360267.616:223): avc:  denied  { relabelfrom } for  pid=19874 comm="cp" name="rng_update.lock" dev=dm-0 ino=2621707 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.449:225): item=0 name="SAPDatabase" inode=1184359 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0
type=CWD msg=audit(1314360321.449:225):  cwd="/usr/share/cluster"
type=SYSCALL msg=audit(1314360321.449:225): arch=c000003e syscall=21 success=no exit=-13 a0=1b0f9c8 a1=1 a2=7fff0a4eb670 a3=100 items=1 ppid=20750 pid=20751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="find" exe="/bin/find" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.449:225): avc:  denied  { execute } for  pid=20751 comm="find" name="SAPDatabase" dev=dm-0 ino=1184359 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.449:226): item=0 name="checkquorum" inode=1184352 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0
type=CWD msg=audit(1314360321.449:226):  cwd="/usr/share/cluster"
type=SYSCALL msg=audit(1314360321.449:226): arch=c000003e syscall=21 success=no exit=-13 a0=1b105e8 a1=1 a2=7fff0a4eb670 a3=100 items=1 ppid=20750 pid=20751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="find" exe="/bin/find" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.449:226): avc:  denied  { execute } for  pid=20751 comm="find" name="checkquorum" dev=dm-0 ino=1184352 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.450:227): item=0 name="SAPInstance" inode=1184360 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0
type=CWD msg=audit(1314360321.450:227):  cwd="/usr/share/cluster"
type=SYSCALL msg=audit(1314360321.450:227): arch=c000003e syscall=21 success=no exit=-13 a0=1b10828 a1=1 a2=7fff0a4eb670 a3=100 items=1 ppid=20750 pid=20751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="find" exe="/bin/find" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.450:227): avc:  denied  { execute } for  pid=20751 comm="find" name="SAPInstance" dev=dm-0 ino=1184360 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.484:228): item=0 name="/usr/sbin/fence_node" inode=1050123 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:fenced_exec_t:s0
type=CWD msg=audit(1314360321.484:228):  cwd="/"
type=SYSCALL msg=audit(1314360321.484:228): arch=c000003e syscall=4 success=no exit=-13 a0=7fff3374fdf9 a1=cec010 a2=cec010 a3=1b items=1 ppid=20747 pid=20766 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ls" exe="/bin/ls" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.484:228): avc:  denied  { getattr } for  pid=20766 comm="ls" path="/usr/sbin/fence_node" dev=dm-0 ino=1050123 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:fenced_exec_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.485:229): item=0 name="/usr/sbin/fence_tool" inode=1060160 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:fenced_exec_t:s0
type=CWD msg=audit(1314360321.485:229):  cwd="/"
type=SYSCALL msg=audit(1314360321.485:229): arch=c000003e syscall=4 success=no exit=-13 a0=7fff3374fe95 a1=cec490 a2=cec490 a3=15 items=1 ppid=20747 pid=20766 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ls" exe="/bin/ls" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.485:229): avc:  denied  { getattr } for  pid=20766 comm="ls" path="/usr/sbin/fence_tool" dev=dm-0 ino=1060160 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:fenced_exec_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.535:230): item=0 name=(null) inode=2621715 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360321.535:230): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff52d33c70 a2=20f1470 a3=2b items=1 ppid=20747 pid=20780 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.535:230): avc:  denied  { relabelfrom } for  pid=20780 comm="cp" name="cluster.rng" dev=dm-0 ino=2621715 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.535:231): item=0 name=(null) inode=2621716 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360321.535:231): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff52d33c30 a2=20f14f0 a3=2b items=1 ppid=20747 pid=20780 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.535:231): avc:  denied  { relabelfrom } for  pid=20780 comm="cp" name="fence_agents.rng.cache" dev=dm-0 ino=2621716 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.536:232): item=0 name=(null) inode=2621717 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360321.536:232): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff52d33bf0 a2=20e8490 a3=2b items=1 ppid=20747 pid=20780 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.536:232): avc:  denied  { relabelfrom } for  pid=20780 comm="cp" name="fence_agents.rng.hash" dev=dm-0 ino=2621717 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.536:233): item=0 name=(null) inode=2621718 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360321.536:233): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff52d33bb0 a2=20e8520 a3=2b items=1 ppid=20747 pid=20780 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.536:233): avc:  denied  { relabelfrom } for  pid=20780 comm="cp" name="resources.rng.cache" dev=dm-0 ino=2621718 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.537:234): item=0 name=(null) inode=2621719 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360321.537:234): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff52d33b70 a2=20e85d0 a3=2b items=1 ppid=20747 pid=20780 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.537:234): avc:  denied  { relabelfrom } for  pid=20780 comm="cp" name="resources.rng.hash" dev=dm-0 ino=2621719 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.538:235): item=0 name=(null) inode=2621720 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0
type=SYSCALL msg=audit(1314360321.538:235): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff52d33b40 a2=20e8680 a3=2b items=1 ppid=20747 pid=20780 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.538:235): avc:  denied  { relabelfrom } for  pid=20780 comm="cp" name="rng_update.lock" dev=dm-0 ino=2621720 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file
----
time->Fri Aug 26 08:05:21 2011
type=PATH msg=audit(1314360321.449:224): item=0 name="fence_scsi_check.pl" inode=1184341 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0
type=CWD msg=audit(1314360321.449:224):  cwd="/usr/share/cluster"
type=SYSCALL msg=audit(1314360321.449:224): arch=c000003e syscall=21 success=no exit=-13 a0=1b0eb68 a1=1 a2=7fff0a4eb670 a3=100 items=1 ppid=20750 pid=20751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="find" exe="/bin/find" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314360321.449:224): avc:  denied  { execute } for  pid=20751 comm="find" name="fence_scsi_check.pl" dev=dm-0 ino=1184341 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----

Comment 4 Miroslav Grepl 2011-08-26 13:42:43 UTC

*** Bug 733656 has been marked as a duplicate of this bug. ***

Comment 5 Milos Malik 2011-08-26 14:49:14 UTC

Following module helped me to reduce the number of AVCs to 4:

module mypolicy 1.0;

require {
        type corosync_t;
        type corosync_tmp_t;
        type cluster_var_lib_t;
        type fenced_t;
        type fenced_exec_t;
        type var_run_t;
        class file { relabelfrom relabelto getattr open write ioctl };
}

#============= corosync_t ==============
allow corosync_t corosync_tmp_t:file relabelfrom;
allow corosync_t cluster_var_lib_t:file relabelto;
allow corosync_t fenced_exec_t:file getattr;

#============= fenced_t ==============
allow fenced_t var_run_t:file { open write getattr ioctl };

Those 4 AVCs are of this kind:
----
time->Fri Aug 26 10:35:03 2011
type=SYSCALL msg=audit(1314369303.694:1621): arch=40000003 syscall=33 success=no exit=-13 a0=9eb889c a1=1 a2=bfed07d4 a3=ffffff9c items=0 ppid=21149 pid=21150 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="find" exe="/bin/find" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1314369303.694:1621): avc:  denied  { execute } for  pid=21150 comm="find" name="SAPDatabase" dev=dm-0 ino=1182604 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----

Once I change context of following files to bin_t the number of AVCs immediately goes to hundreds:
/usr/share/cluster/SAPDatabase
/usr/share/cluster/SAPInstance
/usr/share/cluster/fence_scsi_check.pl
/usr/share/cluster/checkquorum

Comment 6 Miroslav Grepl 2011-08-31 10:54:06 UTC

Could you try to execute

# chcon -t bin_t /usr/share/cluster/SAPDatabase /usr/share/cluster/SAPInstance /usr/share/cluster/checkquorum /usr/share/cluster/fence_scsi_check.pl


and remove

allow fenced_t var_run_t:file { open write getattr ioctl };
 
from your local policy. I would like to see AVC msgs.

Comment 8 Miroslav Grepl 2011-08-31 19:59:39 UTC

Fixed in selinux-policy-3.7.19-109.el6

Comment 10 Fabio Massimo Di Nitto 2011-09-06 12:14:36 UTC

*** Bug 733513 has been marked as a duplicate of this bug. ***

Comment 14 Nate Straz 2011-10-13 15:13:16 UTC

I'm still hitting AVCs with selinux-policy-3.7.19-115.el6 when starting cman.

type=AVC msg=audit(1318517874.571:65821): avc:  denied  { relabelto } for  pid=17606 comm="cp" name="cluster.rng" dev=dm-0 ino=1831438 scontext=system_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1318517874.571:65821): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff748ddb60 a2=1f08470 a3=2b items=1 ppid=17575 pid=17606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/bin/cp" subj=system_u:system_r:corosync_t:s0 key=(null)
type=PATH msg=audit(1318517874.571:65821): item=0 name=(null) inode=1831438 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:corosync_tmp_t:s0
type=AVC msg=audit(1318517874.573:65822): avc:  denied  { relabelto } for  pid=17606 comm="cp" name="fence_agents.rng.cache" dev=dm-0 ino=1831439 scontext=system_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1318517874.573:65822): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff748ddb20 a2=1f084f0 a3=2b items=1 ppid=17575 pid=17606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/bin/cp" subj=system_u:system_r:corosync_t:s0 key=(null)
type=PATH msg=audit(1318517874.573:65822): item=0 name=(null) inode=1831439 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:corosync_tmp_t:s0
type=AVC msg=audit(1318517874.574:65823): avc:  denied  { relabelto } for  pid=17606 comm="cp" name="fence_agents.rng.hash" dev=dm-0 ino=1831440 scontext=system_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1318517874.574:65823): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff748ddae0 a2=1eff490 a3=2b items=1 ppid=17575 pid=17606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/bin/cp" subj=system_u:system_r:corosync_t:s0 key=(null)
type=PATH msg=audit(1318517874.574:65823): item=0 name=(null) inode=1831440 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:corosync_tmp_t:s0
type=AVC msg=audit(1318517874.584:65824): avc:  denied  { relabelto } for  pid=17606 comm="cp" name="resources.rng.cache" dev=dm-0 ino=1831441 scontext=system_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1318517874.584:65824): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff748ddaa0 a2=1eff520 a3=2b items=1 ppid=17575 pid=17606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/bin/cp" subj=system_u:system_r:corosync_t:s0 key=(null)
type=PATH msg=audit(1318517874.584:65824): item=0 name=(null) inode=1831441 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:corosync_tmp_t:s0
type=AVC msg=audit(1318517874.584:65825): avc:  denied  { relabelto } for  pid=17606 comm="cp" name="resources.rng.hash" dev=dm-0 ino=1831442 scontext=system_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:cluster_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1318517874.584:65825): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff748dda60 a2=1eff5d0 a3=2b items=1 ppid=17575 pid=17606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/bin/cp" subj=system_u:system_r:corosync_t:s0 key=(null)

Comment 15 Miroslav Grepl 2011-10-13 15:19:38 UTC

Does cman start correctly? These are looks like constraints.

Comment 16 Nate Straz 2011-10-13 15:27:06 UTC

It does start correctly, as far as I can tell.  I'm not sure what the purpose of these file are.  Including development.

Comment 17 Fabio Massimo Di Nitto 2011-10-13 15:45:46 UTC

those files are created/used by ccs_update_schema.

ccs_update_schema uses a tempdir in /tmp/random.XXXX and then cp/mv those files to /var/lib/cluster/ and takes some backup of the previously installed files in /var/lib/cluster.

it can be called manually, via ccs_config_validate, via cman_tool and via init script.

Comment 19 Milos Malik 2011-10-14 06:54:59 UTC

Few days ago I have reported a special bug concerning "relabelto" operation:
 * https://bugzilla.redhat.com/show_bug.cgi?id=744689

I would recommend to close this bug as VERIFIED and focus on bz#744689. What do you think?

Comment 20 Miroslav Grepl 2011-10-14 08:45:54 UTC

I am finally able to reproduce it and I have a fix.

Comment 21 Nate Straz 2011-10-14 13:18:29 UTC

(In reply to comment #19)
> Few days ago I have reported a special bug concerning "relabelto" operation:
>  * https://bugzilla.redhat.com/show_bug.cgi?id=744689
> 
> I would recommend to close this bug as VERIFIED and focus on bz#744689. What do
> you think?

Sounds good, moving back to VERIFIED.

Milos, can you please cc: mspqa-list on any cluster related bugs?

Comment 22 errata-xmlrpc 2011-12-06 10:13:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.