739065 – fence_scsi.key moved from /var/lib/cluster/ to /var/run/cluster/ but SELinux context did not follow

Bug 739065 - fence_scsi.key moved from /var/lib/cluster/ to /var/run/cluster/ but SELinux context did not follow

Summary: fence_scsi.key moved from /var/lib/cluster/ to /var/run/cluster/ but SELinux ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-16 13:28 UTC by Milos Malik
Modified:	2012-11-23 21:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-targeted-3.7.19-114.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:19:06 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Milos Malik 2011-09-16 13:28:57 UTC

Description of problem:
more info is at https://fedorahosted.org/pipermail/cluster-commits/2011-March/001843.html

I don't see AVCs as a result of this move now, but they could appear in the future depending on what actions will be performed on that file.

Version-Release number of selected component (if applicable):
selinux-policy-doc-3.7.19-110.el6.noarch
selinux-policy-3.7.19-110.el6.noarch
selinux-policy-minimum-3.7.19-110.el6.noarch
selinux-policy-mls-3.7.19-110.el6.noarch
selinux-policy-targeted-3.7.19-110.el6.noarch

Actual results:
# matchpathcon /var/lib/cluster/fence_scsi.key 
/var/lib/cluster/fence_scsi.key system_u:object_r:cluster_var_lib_t:s0
# matchpathcon /var/run/cluster/fence_scsi.key 
/var/run/cluster/fence_scsi.key system_u:object_r:var_run_t:s0
#

Comment 2 Miroslav Grepl 2011-09-16 13:55:32 UTC

Who needs to access to this file?

Comment 3 Ryan O'Hara 2011-09-16 22:59:59 UTC

(In reply to comment #2)
> Who needs to access to this file?

The fence_scsi agent (/usr/sbin/fence_scsi) and potentially the fence_scsi_check watchdog script.

Comment 5 Miroslav Grepl 2011-09-20 12:44:16 UTC

Ryan,
does it cause an issue? Does it work with SELinux in enforing mode?

Comment 6 Ryan O'Hara 2011-09-23 17:36:48 UTC

(In reply to comment #5)
> Ryan,
> does it cause an issue? Does it work with SELinux in enforing mode?

I have not seen any issues, but QE needs to give the official answer here.

Comment 8 Ryan O'Hara 2011-09-26 15:19:38 UTC

I encountered no issues when testing on RHEL6.2.

Note that the files created in /var/run/cluster/ by fence_scsi get the following context in my test:

# ls -Z /var/run/cluster/
-rw-r--r--. root root unconfined_u:object_r:fenced_var_run_t:s0 fence_scsi.dev
-rw-r--r--. root root unconfined_u:object_r:fenced_var_run_t:s0 fence_scsi.key

That does not match what is reported in comment #1.

Comment 9 Miroslav Grepl 2011-09-26 16:19:57 UTC

Yes, this is ok. But I need to add labeling for it. I didn't realize we have a transition rule for /var/run/cluster directory.

But the /var/run/cluster/fence directory would be nice.

Comment 11 Miroslav Grepl 2011-10-05 05:01:02 UTC

Fixed in selinux-policy-targeted-3.7.19-114.el6

Comment 14 errata-xmlrpc 2011-12-06 10:19:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.