Description of problem: Integration testing MRG/M + RHCS showed that. service management via clusvcadm works as expected, but throws SElinux AVC messages: # :> /var/log/audit/audit.log # clusvcadm -e <service> ... # grep -i avc /var/log/audit/audit.log type=AVC msg=audit(1345724569.829:106): avc: denied { read } for pid=4012 comm="restorecon" path="pipe:[10660]" dev=pipefs ino=10660 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file type=AVC msg=audit(1345724569.829:106): avc: denied { write } for pid=4012 comm="restorecon" path="pipe:[10660]" dev=pipefs ino=10660 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file type=AVC msg=audit(1345724569.829:106): avc: denied { read } for pid=4012 comm="restorecon" path="pipe:[11578]" dev=pipefs ino=11578 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file type=AVC msg=audit(1345724569.829:106): avc: denied { write } for pid=4012 comm="restorecon" path="pipe:[11578]" dev=pipefs ino=11578 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file Configurations: /etc/sysconfig/cman: FENCE_JOIN="no" cluster.conf: # cat /etc/cluster/cluster.conf <?xml version="1.0"?> <cluster config_version="1" name="mycluster_el5vm"> <clusternodes> <clusternode name="192.168.5.1" nodeid="1" votes="1"/> <clusternode name="192.168.5.4" nodeid="2" votes="1"/> <clusternode name="192.168.5.5" nodeid="3" votes="1"/> </clusternodes> <cman/> <rm log_level="7"> <failoverdomains> <failoverdomain name="domain_qpidd_1" restricted="1"> <failoverdomainnode name="192.168.5.1" priority="1"/> </failoverdomain> <failoverdomain name="domain_qpidd_2" restricted="1"> <failoverdomainnode name="192.168.5.4" priority="1"/> </failoverdomain> <failoverdomain name="domain_qpidd_3" restricted="1"> <failoverdomainnode name="192.168.5.5" priority="1"/> </failoverdomain> </failoverdomains> <resources> <script file="/etc/init.d/qpidd" name="qpidd"/> </resources> <service domain="domain_qpidd_1" name="qpidd_1"> <script ref="qpidd"/> </service> <service domain="domain_qpidd_2" name="qpidd_2"> <script ref="qpidd"/> </service> <service domain="domain_qpidd_3" name="qpidd_3"> <script ref="qpidd"/> </service> </rm> </cluster> /etc/qpidd.conf: log-enable=info+ mgmt-pub-interval=5 log-to-file=/var/lib/qpidd/qpidd.log cluster-name=mycluster_el5vm auth=yes cluster-cman=yes cluster-mechanism=DIGEST-MD5 ANONYMOUS #cluster-mechanism=ANONYMOUS DIGEST-MD5 cluster-username=guest cluster-password=guest Version-Release number of selected component (if applicable): # rpm -qa | grep -E 'qpid|sesame|rgmanager|cman|ais' | sort cman-2.0.115-96.el5_8.3 openais-0.80.6-36.el5_8.2 python-qpid-0.14-11.el5 python-qpid-qmf-0.14-14.el5 qpid-cpp-client-0.14-21.el5 qpid-cpp-client-devel-0.14-21.el5 qpid-cpp-client-devel-docs-0.14-21.el5 qpid-cpp-client-rdma-0.14-21.el5 qpid-cpp-client-ssl-0.14-21.el5 qpid-cpp-mrg-debuginfo-0.14-21.el5 qpid-cpp-server-0.14-21.el5 qpid-cpp-server-cluster-0.14-21.el5 qpid-cpp-server-devel-0.14-21.el5 qpid-cpp-server-rdma-0.14-21.el5 qpid-cpp-server-ssl-0.14-21.el5 qpid-cpp-server-store-0.14-21.el5 qpid-cpp-server-xml-0.14-21.el5 qpid-java-client-0.18-1.el5 qpid-java-common-0.18-1.el5 qpid-java-example-0.18-1.el5 qpid-jca-0.18-1.el5 qpid-jca-xarecovery-0.18-1.el5 qpid-jca-zip-0.18-1.el5 qpid-qmf-0.14-14.el5 qpid-qmf-debuginfo-0.14-14.el5 qpid-qmf-devel-0.14-14.el5 qpid-tests-0.14-1.el5 qpid-tools-0.14-5.el5 rgmanager-2.0.52-28.el5_8.3 rh-qpid-cpp-tests-0.14-21.el5 ruby-qpid-qmf-0.14-14.el5 sesame-1.0-4.el5 sesame-debuginfo-1.0-4.el5 How reproducible: 100% Steps to Reproduce: 1. Install MRG/M and RHCS (see packages above) 2. Apply above configs to 3 nodes running RHEL 5.8 i686,x86_64,x86_64 3. rg_test test /etc/cluster/cluster.conf 4. service cman start 5. service rgmanager start 6. clusvcadm -d service:qpidd_1 clusvcadm -e service:qpidd_1 Actual results: SELinux AVCs after clusvcadm run. Expected results: No SELinux AVCs.
'clusvcadm -d <service>' does not trigger AVC. 'clusvcadm -e <service>' triggers above AVC.
(In reply to comment #2) > 'clusvcadm -d <service>' does not trigger AVC. > 'clusvcadm -e <service>' triggers above AVC. In both cases the service action is performed and seems complete.
Changing component to selinux-policy as this is where it should be fixed. Please attach selinux-policy versions to the bug.
It looks like a leaked file descriptor.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
We allow it on Fedora. # rpm -q selinux-policy
(In reply to comment #4) > Changing component to selinux-policy as this is where it should be fixed. > Please attach selinux-policy versions to the bug. SElinux policy was installed last released (RHEL5.8), see list of packages below: cman-2.0.115-96.el5_8.3 cman-devel-2.0.115-96.el5_8.3 cman-devel-2.0.115-96.el5_8.3 libselinux-1.33.4-5.7.el5 libselinux-1.33.4-5.7.el5 libselinux-python-1.33.4-5.7.el5 libselinux-utils-1.33.4-5.7.el5 openais-0.80.6-36.el5_8.2 openais-debuginfo-0.80.6-36.el5_8.2 openais-devel-0.80.6-36.el5_8.2 python-qpid-0.14-11.el5 python-qpid-qmf-0.14-14.el5 qpid-cpp-client-0.14-21.el5 qpid-cpp-client-devel-0.14-21.el5 qpid-cpp-client-devel-docs-0.14-21.el5 qpid-cpp-client-rdma-0.14-21.el5 qpid-cpp-client-ssl-0.14-21.el5 qpid-cpp-mrg-debuginfo-0.14-21.el5 qpid-cpp-server-0.14-21.el5 qpid-cpp-server-cluster-0.14-21.el5 qpid-cpp-server-devel-0.14-21.el5 qpid-cpp-server-rdma-0.14-21.el5 qpid-cpp-server-ssl-0.14-21.el5 qpid-cpp-server-store-0.14-21.el5 qpid-cpp-server-xml-0.14-21.el5 qpid-java-client-0.18-1.el5 qpid-java-common-0.18-1.el5 qpid-java-example-0.18-1.el5 qpid-jca-0.18-1.el5 qpid-jca-xarecovery-0.18-1.el5 qpid-jca-zip-0.18-1.el5 qpid-qmf-0.14-14.el5 qpid-qmf-debuginfo-0.14-14.el5 qpid-qmf-devel-0.14-14.el5 qpid-tests-0.14-1.el5 qpid-tools-0.14-6.el5 rgmanager-2.0.52-28.el5_8.3 rh-qpid-cpp-tests-0.14-21.el5 ruby-qpid-qmf-0.14-14.el5 selinux-policy-2.4.6-327.el5 selinux-policy-devel-2.4.6-327.el5 selinux-policy-targeted-2.4.6-327.el5 sesame-1.0-4.el5 sesame-debuginfo-1.0-4.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html