Bug 749682 - matahari generates avcs and doesn't work properly
Summary: matahari generates avcs and doesn't work properly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-27 21:39 UTC by Steven Dake
Modified: 2016-04-26 23:39 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.10.0-55.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-10 17:30:16 UTC
Type: ---

Attachments (Terms of Use)
audit log matahari no worky (242.33 KB, text/x-log)
2011-10-27 21:41 UTC, Steven Dake 		no flags Details
relabled filesystem audit log (27.75 KB, text/x-log)
2011-10-28 17:45 UTC, Steven Dake 		no flags Details
matahari running selinux -54 returns these audit problems (23.13 KB, text/x-log)
2011-11-07 15:47 UTC, Steven Dake 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Description Steven Dake 2011-10-27 21:39:02 UTC 
Description of problem:
Using pacemaker cloud to communicate with Matahari, Matahari appears nonoperational.  This looks like a regression - it was working previously.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-52.fc16.noarch
libselinux-2.1.6-4.fc16.x86_64
selinux-policy-doc-3.10.0-52.fc16.noarch
libselinux-utils-2.1.6-4.fc16.x86_64
selinux-policy-3.10.0-52.fc16.noarch
matahari-lib-0.4.7-0.1.94a4de1.git.fc16.x86_64
matahari-core-0.4.7-0.1.94a4de1.git.fc16.x86_64
matahari-agent-lib-0.4.7-0.1.94a4de1.git.fc16.x86_64
matahari-host-0.4.7-0.1.94a4de1.git.fc16.x86_64
matahari-service-0.4.7-0.1.94a4de1.git.fc16.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Create a full deployable and launch it via pacemaker cloud.
2. pcloudsh prints the errors:
Event: {'reason': 'insufficient privliges', 'assembly': 'assy3-F16', 'state': 'failed', 'service': 'httpd', 'deployable': 'dep1-F16'}
3. There are audit errors in the audit file which are attached.
  
Actual results:
pacemaker cloud doesn't work with selinux in guest vms because matahari is non-functional.

Expected results:
matahari should work without audit errors.

Additional info:
Comment 1 Steven Dake 2011-10-27 21:41:35 UTC 
Created attachment 530573 [details]
audit log matahari no worky
Comment 2 Daniel Walsh 2011-10-28 13:11:29 UTC 
The problem seems to be that you have an unlabeled file system.  file_t means a file does not have a label.

You need to put labels on this disk with restorecon which should fix the problem. or relabel the entire machine with touch /.autorelabel; reboot
Comment 3 Daniel Walsh 2011-10-28 13:24:39 UTC 
Rest of the AVC's that were real will be fixed in selinux-policy-3.10.0-53.fc16
Comment 4 Steven Dake 2011-10-28 17:42:26 UTC 
Dan,

Thanks for looking into this.  The unlabeled filesystem must occur perhaps because oz turns off selinux while it is working and then turns it back on.  While its off, I do a yum update operation.

I have attached a relabled filesystem audit log.  Looks like some syscalls are being rejected, but its hard for me to tell.

Regards
-steve
Comment 5 Steven Dake 2011-10-28 17:45:56 UTC 
Created attachment 530701 [details]
relabled filesystem audit log
Comment 6 Daniel Walsh 2011-10-28 20:11:08 UTC 
All the fixes for matahari that I have seen will be in 

selinux-policy-3.10.0-53.fc16
Comment 7 Steven Dake 2011-11-07 15:46:52 UTC 
selinux-policy-3.10.0-54.fc16 does not work with Matahari.  I have attached the audit log.

Thanks
-steve
Comment 8 Steven Dake 2011-11-07 15:47:39 UTC 
Created attachment 532082 [details]
matahari running selinux -54 returns these audit problems
Comment 9 Fedora Update System 2011-11-08 14:05:42 UTC 
selinux-policy-3.10.0-55.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-55.fc16
Comment 10 Fedora Update System 2011-11-10 17:30:16 UTC 
selinux-policy-3.10.0-55.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.