851187 – rgmanager's clusvcadm triggers SElinux AVCs avc: denied { read / write } for pid=4598 comm="restorecon" path="pipe:[13296]" dev=pipefs ino=13296 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file

Bug 851187 - rgmanager's clusvcadm triggers SElinux AVCs avc: denied { read / write } for pid=4598 comm="restorecon" path="pipe:[13296]" dev=pipefs ino=13296 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file

Summary: rgmanager's clusvcadm triggers SElinux AVCs avc: denied { read / write } fo...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-08-23 12:48 UTC by Frantisek Reznicek
Modified:	2015-11-16 01:14 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-2.4.6-333.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-08 03:34:06 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0060	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-01-08 08:27:19 UTC

Description Frantisek Reznicek 2012-08-23 12:48:28 UTC

Description of problem:

Integration testing MRG/M + RHCS showed that. service management via clusvcadm works as expected, but throws SElinux AVC messages:

# :> /var/log/audit/audit.log
# clusvcadm -e <service>
...
# grep -i avc /var/log/audit/audit.log
type=AVC msg=audit(1345724569.829:106): avc:  denied  { read } for  pid=4012 comm="restorecon" path="pipe:[10660]" dev=pipefs ino=10660 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file
type=AVC msg=audit(1345724569.829:106): avc:  denied  { write } for  pid=4012 comm="restorecon" path="pipe:[10660]" dev=pipefs ino=10660 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file
type=AVC msg=audit(1345724569.829:106): avc:  denied  { read } for  pid=4012 comm="restorecon" path="pipe:[11578]" dev=pipefs ino=11578 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file
type=AVC msg=audit(1345724569.829:106): avc:  denied  { write } for  pid=4012 comm="restorecon" path="pipe:[11578]" dev=pipefs ino=11578 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file

Configurations:

/etc/sysconfig/cman:
FENCE_JOIN="no"

cluster.conf:
# cat /etc/cluster/cluster.conf
<?xml version="1.0"?>
<cluster config_version="1" name="mycluster_el5vm">
  <clusternodes>
    <clusternode name="192.168.5.1" nodeid="1" votes="1"/>
    <clusternode name="192.168.5.4" nodeid="2" votes="1"/>
    <clusternode name="192.168.5.5" nodeid="3" votes="1"/>
  </clusternodes>
  <cman/>
  <rm log_level="7">
    <failoverdomains>
      <failoverdomain name="domain_qpidd_1" restricted="1">
        <failoverdomainnode name="192.168.5.1" priority="1"/>
      </failoverdomain>
      <failoverdomain name="domain_qpidd_2" restricted="1">
        <failoverdomainnode name="192.168.5.4" priority="1"/>
      </failoverdomain>
      <failoverdomain name="domain_qpidd_3" restricted="1">
        <failoverdomainnode name="192.168.5.5" priority="1"/>
      </failoverdomain>
    </failoverdomains>
    <resources>
      <script file="/etc/init.d/qpidd" name="qpidd"/>
    </resources>
    <service domain="domain_qpidd_1" name="qpidd_1">
      <script ref="qpidd"/>
    </service>
    <service domain="domain_qpidd_2" name="qpidd_2">
      <script ref="qpidd"/>
    </service>
    <service domain="domain_qpidd_3" name="qpidd_3">
      <script ref="qpidd"/>
    </service>
  </rm>
</cluster>

/etc/qpidd.conf:
log-enable=info+
mgmt-pub-interval=5
log-to-file=/var/lib/qpidd/qpidd.log
cluster-name=mycluster_el5vm
auth=yes
cluster-cman=yes
cluster-mechanism=DIGEST-MD5 ANONYMOUS
#cluster-mechanism=ANONYMOUS DIGEST-MD5
cluster-username=guest
cluster-password=guest


Version-Release number of selected component (if applicable):


# rpm -qa | grep -E 'qpid|sesame|rgmanager|cman|ais' | sort
cman-2.0.115-96.el5_8.3
openais-0.80.6-36.el5_8.2
python-qpid-0.14-11.el5
python-qpid-qmf-0.14-14.el5
qpid-cpp-client-0.14-21.el5
qpid-cpp-client-devel-0.14-21.el5
qpid-cpp-client-devel-docs-0.14-21.el5
qpid-cpp-client-rdma-0.14-21.el5
qpid-cpp-client-ssl-0.14-21.el5
qpid-cpp-mrg-debuginfo-0.14-21.el5
qpid-cpp-server-0.14-21.el5
qpid-cpp-server-cluster-0.14-21.el5
qpid-cpp-server-devel-0.14-21.el5
qpid-cpp-server-rdma-0.14-21.el5
qpid-cpp-server-ssl-0.14-21.el5
qpid-cpp-server-store-0.14-21.el5
qpid-cpp-server-xml-0.14-21.el5
qpid-java-client-0.18-1.el5
qpid-java-common-0.18-1.el5
qpid-java-example-0.18-1.el5
qpid-jca-0.18-1.el5
qpid-jca-xarecovery-0.18-1.el5
qpid-jca-zip-0.18-1.el5
qpid-qmf-0.14-14.el5
qpid-qmf-debuginfo-0.14-14.el5
qpid-qmf-devel-0.14-14.el5
qpid-tests-0.14-1.el5
qpid-tools-0.14-5.el5
rgmanager-2.0.52-28.el5_8.3
rh-qpid-cpp-tests-0.14-21.el5
ruby-qpid-qmf-0.14-14.el5
sesame-1.0-4.el5
sesame-debuginfo-1.0-4.el5


How reproducible:
100%

Steps to Reproduce:
1. Install MRG/M and RHCS (see packages above)
2. Apply above configs to 3 nodes running RHEL 5.8 i686,x86_64,x86_64
3. rg_test test /etc/cluster/cluster.conf
4. service cman start
5. service rgmanager start
6. clusvcadm -d service:qpidd_1
   clusvcadm -e service:qpidd_1

Actual results:
SELinux AVCs after clusvcadm run.

Expected results:
No SELinux AVCs.

Comment 2 Frantisek Reznicek 2012-08-23 13:21:37 UTC

'clusvcadm -d <service>'  does not trigger AVC.
'clusvcadm -e <service>'  triggers above AVC.

Comment 3 Frantisek Reznicek 2012-08-23 15:17:15 UTC

(In reply to comment #2)
> 'clusvcadm -d <service>'  does not trigger AVC.
> 'clusvcadm -e <service>'  triggers above AVC.

In both cases the service action is performed and seems complete.

Comment 4 Jaroslav Kortus 2012-08-24 07:09:56 UTC

Changing component to selinux-policy as this is where it should be fixed. Please attach selinux-policy versions to the bug.

Comment 5 Milos Malik 2012-08-24 12:38:24 UTC

It looks like a leaked file descriptor.

Comment 6 RHEL Program Management 2012-08-24 12:58:12 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 7 Miroslav Grepl 2012-08-24 13:05:04 UTC

We allow it on Fedora.

# rpm -q selinux-policy

Comment 8 Frantisek Reznicek 2012-09-03 12:43:32 UTC

(In reply to comment #4)
> Changing component to selinux-policy as this is where it should be fixed.
> Please attach selinux-policy versions to the bug.

SElinux policy was installed last released (RHEL5.8), see list of packages below:

cman-2.0.115-96.el5_8.3
cman-devel-2.0.115-96.el5_8.3
cman-devel-2.0.115-96.el5_8.3
libselinux-1.33.4-5.7.el5
libselinux-1.33.4-5.7.el5
libselinux-python-1.33.4-5.7.el5
libselinux-utils-1.33.4-5.7.el5
openais-0.80.6-36.el5_8.2
openais-debuginfo-0.80.6-36.el5_8.2
openais-devel-0.80.6-36.el5_8.2
python-qpid-0.14-11.el5
python-qpid-qmf-0.14-14.el5
qpid-cpp-client-0.14-21.el5
qpid-cpp-client-devel-0.14-21.el5
qpid-cpp-client-devel-docs-0.14-21.el5
qpid-cpp-client-rdma-0.14-21.el5
qpid-cpp-client-ssl-0.14-21.el5
qpid-cpp-mrg-debuginfo-0.14-21.el5
qpid-cpp-server-0.14-21.el5
qpid-cpp-server-cluster-0.14-21.el5
qpid-cpp-server-devel-0.14-21.el5
qpid-cpp-server-rdma-0.14-21.el5
qpid-cpp-server-ssl-0.14-21.el5
qpid-cpp-server-store-0.14-21.el5
qpid-cpp-server-xml-0.14-21.el5
qpid-java-client-0.18-1.el5
qpid-java-common-0.18-1.el5
qpid-java-example-0.18-1.el5
qpid-jca-0.18-1.el5
qpid-jca-xarecovery-0.18-1.el5
qpid-jca-zip-0.18-1.el5
qpid-qmf-0.14-14.el5
qpid-qmf-debuginfo-0.14-14.el5
qpid-qmf-devel-0.14-14.el5
qpid-tests-0.14-1.el5
qpid-tools-0.14-6.el5
rgmanager-2.0.52-28.el5_8.3
rh-qpid-cpp-tests-0.14-21.el5
ruby-qpid-qmf-0.14-14.el5
selinux-policy-2.4.6-327.el5
selinux-policy-devel-2.4.6-327.el5
selinux-policy-targeted-2.4.6-327.el5
sesame-1.0-4.el5
sesame-debuginfo-1.0-4.el5

Comment 22 errata-xmlrpc 2013-01-08 03:34:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html

Note You need to log in before you can comment on or make changes to this bug.