Bug 739065 - fence_scsi.key moved from /var/lib/cluster/ to /var/run/cluster/ but SELinux context did not follow
Summary: fence_scsi.key moved from /var/lib/cluster/ to /var/run/cluster/ but SELinux ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
medium
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-16 13:28 UTC by Milos Malik
Modified: 2012-11-23 21:07 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-targeted-3.7.19-114.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:19:06 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Milos Malik 2011-09-16 13:28:57 UTC
Description of problem:
more info is at https://fedorahosted.org/pipermail/cluster-commits/2011-March/001843.html

I don't see AVCs as a result of this move now, but they could appear in the future depending on what actions will be performed on that file.

Version-Release number of selected component (if applicable):
selinux-policy-doc-3.7.19-110.el6.noarch
selinux-policy-3.7.19-110.el6.noarch
selinux-policy-minimum-3.7.19-110.el6.noarch
selinux-policy-mls-3.7.19-110.el6.noarch
selinux-policy-targeted-3.7.19-110.el6.noarch

Actual results:
# matchpathcon /var/lib/cluster/fence_scsi.key 
/var/lib/cluster/fence_scsi.key system_u:object_r:cluster_var_lib_t:s0
# matchpathcon /var/run/cluster/fence_scsi.key 
/var/run/cluster/fence_scsi.key system_u:object_r:var_run_t:s0
#

Comment 2 Miroslav Grepl 2011-09-16 13:55:32 UTC
Who needs to access to this file?

Comment 3 Ryan O'Hara 2011-09-16 22:59:59 UTC
(In reply to comment #2)
> Who needs to access to this file?

The fence_scsi agent (/usr/sbin/fence_scsi) and potentially the fence_scsi_check watchdog script.

Comment 5 Miroslav Grepl 2011-09-20 12:44:16 UTC
Ryan,
does it cause an issue? Does it work with SELinux in enforing mode?

Comment 6 Ryan O'Hara 2011-09-23 17:36:48 UTC
(In reply to comment #5)
> Ryan,
> does it cause an issue? Does it work with SELinux in enforing mode?

I have not seen any issues, but QE needs to give the official answer here.

Comment 8 Ryan O'Hara 2011-09-26 15:19:38 UTC
I encountered no issues when testing on RHEL6.2.

Note that the files created in /var/run/cluster/ by fence_scsi get the following context in my test:

# ls -Z /var/run/cluster/
-rw-r--r--. root root unconfined_u:object_r:fenced_var_run_t:s0 fence_scsi.dev
-rw-r--r--. root root unconfined_u:object_r:fenced_var_run_t:s0 fence_scsi.key

That does not match what is reported in comment #1.

Comment 9 Miroslav Grepl 2011-09-26 16:19:57 UTC
Yes, this is ok. But I need to add labeling for it. I didn't realize we have a transition rule for /var/run/cluster directory.

But the /var/run/cluster/fence directory would be nice.

Comment 11 Miroslav Grepl 2011-10-05 05:01:02 UTC
Fixed in selinux-policy-targeted-3.7.19-114.el6

Comment 14 errata-xmlrpc 2011-12-06 10:19:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.