738529 – SELinux prevents sanlock work

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 738529 - SELinux prevents sanlock work

Summary: SELinux prevents sanlock work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-15 05:48 UTC by Alex Jia
Modified:	2012-10-04 10:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.7.19-112.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:18:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Alex Jia 2011-09-15 05:48:55 UTC

Description of problem:
virt-sanlock-cleanup command can be successfully executed, however, the sanlock daemon will release the lease due to selinux issue.

In fact, virt-sanlock-cleanup will call 'sanlock client command -r' command.


Version-Release number of selected component (if applicable):
# uname -r
2.6.32-193.el6.x86_64

# rpm -q libvirt
libvirt-0.9.4-11.el6.x86_64

# rpm -q libvirt-lock-sanlock
libvirt-lock-sanlock-0.9.4-11.el6.x86_64 (virt-sanlock-cleanup)

# rpm -q sanlock
sanlock-1.7-4.el6.x86_64

# rpm -q selinux-policy
selinux-policy-3.7.19-109.el6.noarch

How reproducible:
Always.

Steps to Reproduce:
1. please refer to Comment 7 from bug 735442(to generate lease file)
   # ll -aZ /var/lib/libvirt/sanlock
   drwx------. root root system_u:object_r:virt_var_lib_t:s0 .
   drwxr-xr-x. root root system_u:object_r:virt_var_lib_t:s0 ..
   -rw-------. root root unconfined_u:object_r:virt_var_lib_t:s0   9ba8f0215a51a6dc0aa077c427b749c8
   -rw-------. root root unconfined_u:object_r:virt_var_lib_t:s0 __LIBVIRT__DISKS__

2. run virt-sanlock-cleanup
3. grep AVC /var/log/audit/audit.log
  
Actual results:
# grep AVC /var/log/audit/audit.log |tail -4

type=AVC msg=audit(1316063927.519:48994): avc:  denied  { search } for  pid=25420 comm="sanlock" name="libvirt" dev=sda9 ino=3015123 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir

type=AVC msg=audit(1316063927.519:48994): avc:  denied  { read write } for  pid=25420 comm="sanlock" name="9ba8f0215a51a6dc0aa077c427b749c8" dev=sda9 ino=131283 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file

type=AVC msg=audit(1316063927.519:48994): avc:  denied  { open } for  pid=25420 comm="sanlock" name="9ba8f0215a51a6dc0aa077c427b749c8" dev=sda9 ino=131283 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file

type=AVC msg=audit(1316063927.519:48995): avc:  denied  { getattr } for  pid=25420 comm="sanlock" path="/var/lib/libvirt/sanlock/9ba8f0215a51a6dc0aa077c427b749c8" dev=sda9 ino=131283 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file


Expected results:
Fix it.

Additional info:

Comment 1 Miroslav Grepl 2011-09-15 11:30:33 UTC

Does it work if you execute

# grep sanlock /var/log/audit/audit.log |audit2allow -M sanlock
# semodule -i sanlock.pp

Comment 2 Alex Jia 2011-09-16 14:44:23 UTC

# grep sanlock /var/log/audit/audit.log |audit2allow -M sanlock
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i sanlock.pp

[root@localhost ~]# semodule -i sanlock.pp
libsepol.print_missing_requirements: sanlock's global requirements were not met: type/attribute sanlock_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!


Alex

Comment 3 Daniel Walsh 2011-09-16 15:52:34 UTC

You can not name a package with the same name as the module.

Miroslav meant to say.

# grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock
# semodule -i mysanlock.pp

Comment 4 Alex Jia 2011-09-16 16:42:54 UTC

(In reply to comment #3)
> You can not name a package with the same name as the module.
> 
> Miroslav meant to say.
> 
> # grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock
> # semodule -i mysanlock.pp

Yeah, sanlock works well now based on above steps, Daniel, thanks for your comment.

Alex

Comment 5 Miroslav Grepl 2011-09-16 21:30:48 UTC

Oops, my bad.

This should be fixed in the latest -111.el6 policy release which is available from brew for testing.

Comment 7 Alex Jia 2011-09-28 09:17:31 UTC

The above issues have been resolved on selinux-policy-3.7.19-112.el6.noarch, but I met another issue when I create or destroy a guest, for details, please refer to https://bugzilla.redhat.com/show_bug.cgi?id=735442.

When I tried the following operations， I met bug 738188 again, maybe I shouldn't do this:

# grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock
# semodule -i mysanlock.pp


# virsh create /root/demo1.xml
Domain demo1 created from /root/demo1.xml

# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1317200388.275:103): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process

# virsh destroy demo1
Domain demo1 destroyed

# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1317200388.275:103): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process
type=AVC msg=audit(1317200460.170:128): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c115,c277 tclass=process

# grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mysanlock.pp

# semodule -i mysanlock.pp
# virsh create /root/demo1.xml
error: Failed to create domain from /root/demo1.xml
error: internal error Failed to open socket to sanlock daemon: Operation not permitted

# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1317200388.275:103): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process
type=AVC msg=audit(1317200460.170:128): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c115,c277 tclass=process
type=AVC msg=audit(1317201002.861:176): avc:  denied  { connectto } for  pid=19911 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c381,c588 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket


Additional information:

SELinux is preventing /usr/sbin/sanlock from using the sigkill access on a process.

Additional Information:
Source Context                unconfined_u:system_r:sanlock_t:s0
Target Context                system_u:system_r:svirt_t:s0:c555,c634
Target Objects                Unknown [ process ]
Source                        sanlock
Source Path                   /usr/sbin/sanlock
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           sanlock-1.7-4.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-112.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.32-193.el6.x86_64
                              #1 SMP Mon Aug 29 11:19:20 EDT 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 28 Sep 2011 05:01:33 PM CST
Last Seen                     Wed 28 Sep 2011 05:01:33 PM CST
Local ID                      e0ce778a-e0cc-4505-a62e-69bd5d7dd79a

Raw Audit Messages
type=AVC msg=audit(1317200493.494:153): avc:  denied  { sigkill } for  pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c555,c634 tclass=process


type=SYSCALL msg=audit(1317200493.494:153): arch=x86_64 syscall=kill success=yes exit=0 a0=4d33 a1=9 a2=7f5a49920148 a3=1 items=0 ppid=1 pid=19505 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=sanlock exe=/usr/sbin/sanlock subj=unconfined_u:system_r:sanlock_t:s0 key=(null)

Hash: sanlock,sanlock_t,svirt_t,process,sigkill

audit2allow

#============= sanlock_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow sanlock_t svirt_t:process sigkill;

audit2allow -R

#============= sanlock_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow sanlock_t svirt_t:process sigkill;

Comment 8 Daniel Walsh 2011-09-28 15:37:40 UTC

Miroslav we need to run sanlock ranged, just like virtd_t.

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
')

ifdef(`enable_mls',`
	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh)
')

Comment 10 errata-xmlrpc 2011-12-06 10:18:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.