746764 – piranha-gui: error opening or creating the lvs.cf configuration file

Bug 746764 - piranha-gui: error opening or creating the lvs.cf configuration file

Summary: piranha-gui: error opening or creating the lvs.cf configuration file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-17 17:47 UTC by Ryan O'Hara
Modified:	2012-09-21 08:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.7.19-118
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:20:14 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Ryan O'Hara 2011-10-17 17:47:03 UTC

Using RHEL 6.2 Beta with piranha-0.8.5-9.el6, piranha-gui reports error:

There was an error opening or creating the lvs.cf configuration file
The most likely cause is that the file permissions are incorrect.
They should be set as follows

-rw-rw----   1 root  piranha	0 Mar 1 12:00 /etc/sysconfig/ha/lvs.cf

You can achieve this by issuing the following 3 commands as root
 touch /etc/sysconfig/ha/lvs.cf
 chmod 660 /etc/sysconfig/ha/lvs.cf
 chown root.piranha /etc/sysconfig/ha/lvs.cf
Additionally, if the problem persists, please confirm that the group
piranha exists in /etc/group and that the Group directive defined in
/etc/sysconfig/ha/conf/httpd.conf is set as piranha. 



Permission/ownership of lvs.cf appears to be correct. The settings in piranha's httpd.conf are also correct.

# ls -al /etc/sysconfig/ha/lvs.cf 
-rw-rw----. 1 root piranha 7390 Aug 11 10:32 /etc/sysconfig/ha/lvs.cf

SELinux is enabled, but there are no AVCs in the audit log that suggest that SELinux is causing this problem.

Comment 2 Ryan O'Hara 2011-10-17 19:17:07 UTC

I stand corrected. It does appear to be an selinux problem. I'm using selinux-policy-targeted-3.7.19-113.el6.

type=AVC msg=audit(1318878759.072:5850): avc:  denied  { write } for  pid=8575 comm="httpd" name="lvs.cf" dev=dm-0 ino=150000 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1318878759.072:5850): arch=c000003e syscall=2 success=no exit=-13 a0=7fe778fd8588 a1=2 a2=1b6 a3=21 items=0 ppid=8573 pid=8575 auid=0 uid=60 gid=60 euid=60 suid=60 fsuid=60 egid=60 sgid=60 fsgid=60 tty=(none) ses=950 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)

This can be recreated by the following steps.

1. Run piranha-passwd to set password for piranha-gui.
2. Run 'service piranha-gui start'.
3. Login with username 'piranha' and password set in step #1.

Comment 3 Ryan O'Hara 2011-10-17 19:21:34 UTC

Not sure if this is helpful, but comparing selinux context of lvs.cf on RHEL5 vs RHEL6:

On RHEL5.7:
# ls -Z /etc/sysconfig/ha/lvs.cf
-rw-rw-r--  root piranha system_u:object_r:piranha_etc_rw_t /etc/sysconfig/ha/lvs.cf

On RHEL6.2 Beta:
# ls -Z /etc/sysconfig/ha/lvs.cf 
-rw-rw----. root piranha system_u:object_r:etc_t:s0       /etc/sysconfig/ha/lvs.cf

Comment 4 Miroslav Grepl 2011-10-17 20:54:17 UTC

Well, I would say this is not a valid bug on RHEL6. 

The policy shows me

/etc/piranha/lvs\.cf        --  gen_context(system_u:object_r:piranha_etc_rw_t,s0)

which I believe is the default location for the config file. You created a new one with the different location. 

Yes, I can add label for it but you will need to run restorecon on it anyways.

Comment 5 Ryan O'Hara 2011-10-17 21:03:05 UTC

(In reply to comment #4)
> Well, I would say this is not a valid bug on RHEL6. 
> 
> The policy shows me
> 
> /etc/piranha/lvs\.cf        -- 
> gen_context(system_u:object_r:piranha_etc_rw_t,s0)
> 
> which I believe is the default location for the config file. You created a new
> one with the different location. 
> 
> Yes, I can add label for it but you will need to run restorecon on it anyways.

No, I did not create a new config file in a different location. This is the default. It appears the policy is incorrect. The RHEL6 spec file also shows that /etc/sysconfig/ha/ is the correct location.

Comment 6 Miroslav Grepl 2011-10-17 21:05:55 UTC

Ok, I will fix it. Then I was confused by 

>You can achieve this by issuing the following 3 commands as root
> touch /etc/sysconfig/ha/lvs.cf
> chmod 660 /etc/sysconfig/ha/lvs.cf
> chown root.piranha /etc/sysconfig/ha/lvs.cf

Comment 8 Ryan O'Hara 2011-10-17 21:15:35 UTC

(In reply to comment #6)
> Ok, I will fix it. Then I was confused by 
> 
> >You can achieve this by issuing the following 3 commands as root
> > touch /etc/sysconfig/ha/lvs.cf
> > chmod 660 /etc/sysconfig/ha/lvs.cf
> > chown root.piranha /etc/sysconfig/ha/lvs.cf

Thanks. Just let me know when a policy is available and I will test it immediately.

Comment 11 Miroslav Grepl 2011-10-18 14:05:24 UTC

Fixed in selinux-policy-3.7.19-118.el6.noarch

# matchpathcon /etc/sysconfig/ha/lvs.cf
/etc/sysconfig/ha/lvs.cf	system_u:object_r:piranha_etc_rw_t:s0

Comment 16 errata-xmlrpc 2011-12-06 10:20:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.