Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-minimum-3.7.19-118.el6.noarch selinux-policy-mls-3.7.19-118.el6.noarch selinux-policy-targeted-3.7.19-118.el6.noarch selinux-policy-3.7.19-118.el6.noarch selinux-policy-doc-3.7.19-118.el6.noarch piranha-0.8.5-9.el6.i686 How reproducible: always Steps to Reproduce: 1) get a fresh RHEL-6.2 machine 2) yum -y install ipvsadm piranha setools-console policycoreutils-python 3) run following automated test: /CoreOS/selinux-policy/Regression/bz584451-piranha-and-ipvsadm Actual results: ---- time->Wed Oct 19 08:37:30 2011 type=SYSCALL msg=audit(1319027850.553:84231): arch=40000003 syscall=11 success=yes exit=0 a0=98bd430 a1=98bd480 a2=98bd6b8 a3=98bd480 items=0 ppid=25278 pid=25279 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1319027850.553:84231): avc: denied { read } for pid=25279 comm="httpd" path="/etc/sysconfig/ha/lvs.cf" dev=dm-0 ino=263342 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:piranha_etc_rw_t:s0 tclass=file ---- time->Wed Oct 19 08:37:38 2011 type=SYSCALL msg=audit(1319027858.888:84232): arch=40000003 syscall=11 success=yes exit=0 a0=9283430 a1=9283480 a2=92836b8 a3=9283480 items=0 ppid=25362 pid=25363 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1319027858.888:84232): avc: denied { read } for pid=25363 comm="httpd" path="/etc/sysconfig/ha/lvs.cf" dev=dm-0 ino=263342 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:piranha_etc_rw_t:s0 tclass=file ---- Expected results: * no AVCs
dontaudit candidate ?
Yes, but should be fixed in pulse which is leaking.
Two things: * the test case which produces this particular error appears to be using fos - in fos.c, it's pretty clear that we don't close the lvs.cf prior to the run() function call; this is an easy fix. The catch is that since RHEL 2.1 we nave never supported fos mode of pulse. * Piranha-gui spawns httpd, and has for the better part of 12 years used php to edit /etc/sysconfig/ha/lvs.cf - appears that is not working if you try to log in an edit the lvs.cf from piranha-gui (I think this is a separate issue, I don't know if it's a blocker or not): type=AVC msg=audit(1319043483.057:3985): avc: denied { write } for pid=8524 comm="httpd" name="lvs.cf" dev=dm-0 ino=137226 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1319043483.057:3985): arch=c000003e syscall=2 success=no exit=-13 a0=7fc8384a27c0 a1=2 a2=1b6 a3=21 items=0 ppid=8522 pid=8524 auid=0 uid=60 gid=60 euid=60 suid=60 fsuid=60 egid=60 sgid=60 fsgid=60 tty=(none) ses=168 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
Created attachment 529060 [details] Close fd after reading configuration file
(In reply to comment #6) > > * Piranha-gui spawns httpd, and has for the better part of 12 years used php to > edit /etc/sysconfig/ha/lvs.cf - appears that is not working if you try to log > in an edit the lvs.cf from piranha-gui ... is bug 746764 Nothing to see here.
(In reply to comment #0) > Steps to Reproduce: > 1) get a fresh RHEL-6.2 machine > 2) yum -y install ipvsadm piranha setools-console policycoreutils-python > 3) run following automated test: > /CoreOS/selinux-policy/Regression/bz584451-piranha-and-ipvsadm Where do I find the test referenced in step #3?
Created attachment 561701 [details] lvs.cf file fos mode httpd Here is an example lvs.cf file that can be used to control httpd in fos mode. This is useful for reproducing the problem and testing the fix. Be sure to replace IP_ADDRESS and ETH_DEVICE with appropriate values.
In this test, it is best to turn off any existing httpd services to avoid confusion. With httpd turned off, check that no httpd processes exist: # pidof httpd (no output) Using the lvs.cf file to control httpd is fos mode, start pulse: # service pulse start Starting pulse: [ OK ] This should start piranha in fos mode and start httpd as a failover service. Now look for the leaking file descriptor: # for a in `pidof httpd`; do ls -l /proc/$a/fd | grep lvs; done lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf lr-x------. 1 root root 64 Feb 13 17:14 3 -> /etc/sysconfig/ha/lvs.cf These file descriptors for lvs.cf should not exist. With patch, repeat the same test: # service pulse start Starting pulse: [ OK ] # pidof httpd 2821 2820 2819 2818 2817 2816 2815 2814 2812 We have 9 httpd processes, none should have file descriptor for lvs.cf: # for a in `pidof httpd`; do ls -l /proc/$a/fd | grep lvs; done (no output) This fixes the leaking file descriptor. I'll run the selinux test as soon as I get more information about how to do so.
Fixed in piranha-0.8.5-11.el6.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0891.html