Bug 851187 - rgmanager's clusvcadm triggers SElinux AVCs avc: denied { read / write } for pid=4598 comm="restorecon" path="pipe:[13296]" dev=pipefs ino=13296 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file
rgmanager's clusvcadm triggers SElinux AVCs avc: denied { read / write } fo...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.8
All Linux
medium Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-23 08:48 EDT by Frantisek Reznicek
Modified: 2015-11-15 20:14 EST (History)
11 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-333.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 22:34:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frantisek Reznicek 2012-08-23 08:48:28 EDT
Description of problem:

Integration testing MRG/M + RHCS showed that. service management via clusvcadm works as expected, but throws SElinux AVC messages:

# :> /var/log/audit/audit.log
# clusvcadm -e <service>
...
# grep -i avc /var/log/audit/audit.log
type=AVC msg=audit(1345724569.829:106): avc:  denied  { read } for  pid=4012 comm="restorecon" path="pipe:[10660]" dev=pipefs ino=10660 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file
type=AVC msg=audit(1345724569.829:106): avc:  denied  { write } for  pid=4012 comm="restorecon" path="pipe:[10660]" dev=pipefs ino=10660 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file
type=AVC msg=audit(1345724569.829:106): avc:  denied  { read } for  pid=4012 comm="restorecon" path="pipe:[11578]" dev=pipefs ino=11578 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file
type=AVC msg=audit(1345724569.829:106): avc:  denied  { write } for  pid=4012 comm="restorecon" path="pipe:[11578]" dev=pipefs ino=11578 scontext=root:system_r:restorecon_t:s0 tcontext=root:system_r:rgmanager_t:s0 tclass=fifo_file

Configurations:

/etc/sysconfig/cman:
FENCE_JOIN="no"

cluster.conf:
# cat /etc/cluster/cluster.conf
<?xml version="1.0"?>
<cluster config_version="1" name="mycluster_el5vm">
  <clusternodes>
    <clusternode name="192.168.5.1" nodeid="1" votes="1"/>
    <clusternode name="192.168.5.4" nodeid="2" votes="1"/>
    <clusternode name="192.168.5.5" nodeid="3" votes="1"/>
  </clusternodes>
  <cman/>
  <rm log_level="7">
    <failoverdomains>
      <failoverdomain name="domain_qpidd_1" restricted="1">
        <failoverdomainnode name="192.168.5.1" priority="1"/>
      </failoverdomain>
      <failoverdomain name="domain_qpidd_2" restricted="1">
        <failoverdomainnode name="192.168.5.4" priority="1"/>
      </failoverdomain>
      <failoverdomain name="domain_qpidd_3" restricted="1">
        <failoverdomainnode name="192.168.5.5" priority="1"/>
      </failoverdomain>
    </failoverdomains>
    <resources>
      <script file="/etc/init.d/qpidd" name="qpidd"/>
    </resources>
    <service domain="domain_qpidd_1" name="qpidd_1">
      <script ref="qpidd"/>
    </service>
    <service domain="domain_qpidd_2" name="qpidd_2">
      <script ref="qpidd"/>
    </service>
    <service domain="domain_qpidd_3" name="qpidd_3">
      <script ref="qpidd"/>
    </service>
  </rm>
</cluster>

/etc/qpidd.conf:
log-enable=info+
mgmt-pub-interval=5
log-to-file=/var/lib/qpidd/qpidd.log
cluster-name=mycluster_el5vm
auth=yes
cluster-cman=yes
cluster-mechanism=DIGEST-MD5 ANONYMOUS
#cluster-mechanism=ANONYMOUS DIGEST-MD5
cluster-username=guest
cluster-password=guest


Version-Release number of selected component (if applicable):


# rpm -qa | grep -E 'qpid|sesame|rgmanager|cman|ais' | sort
cman-2.0.115-96.el5_8.3
openais-0.80.6-36.el5_8.2
python-qpid-0.14-11.el5
python-qpid-qmf-0.14-14.el5
qpid-cpp-client-0.14-21.el5
qpid-cpp-client-devel-0.14-21.el5
qpid-cpp-client-devel-docs-0.14-21.el5
qpid-cpp-client-rdma-0.14-21.el5
qpid-cpp-client-ssl-0.14-21.el5
qpid-cpp-mrg-debuginfo-0.14-21.el5
qpid-cpp-server-0.14-21.el5
qpid-cpp-server-cluster-0.14-21.el5
qpid-cpp-server-devel-0.14-21.el5
qpid-cpp-server-rdma-0.14-21.el5
qpid-cpp-server-ssl-0.14-21.el5
qpid-cpp-server-store-0.14-21.el5
qpid-cpp-server-xml-0.14-21.el5
qpid-java-client-0.18-1.el5
qpid-java-common-0.18-1.el5
qpid-java-example-0.18-1.el5
qpid-jca-0.18-1.el5
qpid-jca-xarecovery-0.18-1.el5
qpid-jca-zip-0.18-1.el5
qpid-qmf-0.14-14.el5
qpid-qmf-debuginfo-0.14-14.el5
qpid-qmf-devel-0.14-14.el5
qpid-tests-0.14-1.el5
qpid-tools-0.14-5.el5
rgmanager-2.0.52-28.el5_8.3
rh-qpid-cpp-tests-0.14-21.el5
ruby-qpid-qmf-0.14-14.el5
sesame-1.0-4.el5
sesame-debuginfo-1.0-4.el5


How reproducible:
100%

Steps to Reproduce:
1. Install MRG/M and RHCS (see packages above)
2. Apply above configs to 3 nodes running RHEL 5.8 i686,x86_64,x86_64
3. rg_test test /etc/cluster/cluster.conf
4. service cman start
5. service rgmanager start
6. clusvcadm -d service:qpidd_1
   clusvcadm -e service:qpidd_1

Actual results:
SELinux AVCs after clusvcadm run.

Expected results:
No SELinux AVCs.
Comment 2 Frantisek Reznicek 2012-08-23 09:21:37 EDT
'clusvcadm -d <service>'  does not trigger AVC.
'clusvcadm -e <service>'  triggers above AVC.
Comment 3 Frantisek Reznicek 2012-08-23 11:17:15 EDT
(In reply to comment #2)
> 'clusvcadm -d <service>'  does not trigger AVC.
> 'clusvcadm -e <service>'  triggers above AVC.

In both cases the service action is performed and seems complete.
Comment 4 Jaroslav Kortus 2012-08-24 03:09:56 EDT
Changing component to selinux-policy as this is where it should be fixed. Please attach selinux-policy versions to the bug.
Comment 5 Milos Malik 2012-08-24 08:38:24 EDT
It looks like a leaked file descriptor.
Comment 6 RHEL Product and Program Management 2012-08-24 08:58:12 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 7 Miroslav Grepl 2012-08-24 09:05:04 EDT
We allow it on Fedora.

# rpm -q selinux-policy
Comment 8 Frantisek Reznicek 2012-09-03 08:43:32 EDT
(In reply to comment #4)
> Changing component to selinux-policy as this is where it should be fixed.
> Please attach selinux-policy versions to the bug.

SElinux policy was installed last released (RHEL5.8), see list of packages below:

cman-2.0.115-96.el5_8.3
cman-devel-2.0.115-96.el5_8.3
cman-devel-2.0.115-96.el5_8.3
libselinux-1.33.4-5.7.el5
libselinux-1.33.4-5.7.el5
libselinux-python-1.33.4-5.7.el5
libselinux-utils-1.33.4-5.7.el5
openais-0.80.6-36.el5_8.2
openais-debuginfo-0.80.6-36.el5_8.2
openais-devel-0.80.6-36.el5_8.2
python-qpid-0.14-11.el5
python-qpid-qmf-0.14-14.el5
qpid-cpp-client-0.14-21.el5
qpid-cpp-client-devel-0.14-21.el5
qpid-cpp-client-devel-docs-0.14-21.el5
qpid-cpp-client-rdma-0.14-21.el5
qpid-cpp-client-ssl-0.14-21.el5
qpid-cpp-mrg-debuginfo-0.14-21.el5
qpid-cpp-server-0.14-21.el5
qpid-cpp-server-cluster-0.14-21.el5
qpid-cpp-server-devel-0.14-21.el5
qpid-cpp-server-rdma-0.14-21.el5
qpid-cpp-server-ssl-0.14-21.el5
qpid-cpp-server-store-0.14-21.el5
qpid-cpp-server-xml-0.14-21.el5
qpid-java-client-0.18-1.el5
qpid-java-common-0.18-1.el5
qpid-java-example-0.18-1.el5
qpid-jca-0.18-1.el5
qpid-jca-xarecovery-0.18-1.el5
qpid-jca-zip-0.18-1.el5
qpid-qmf-0.14-14.el5
qpid-qmf-debuginfo-0.14-14.el5
qpid-qmf-devel-0.14-14.el5
qpid-tests-0.14-1.el5
qpid-tools-0.14-6.el5
rgmanager-2.0.52-28.el5_8.3
rh-qpid-cpp-tests-0.14-21.el5
ruby-qpid-qmf-0.14-14.el5
selinux-policy-2.4.6-327.el5
selinux-policy-devel-2.4.6-327.el5
selinux-policy-targeted-2.4.6-327.el5
sesame-1.0-4.el5
sesame-debuginfo-1.0-4.el5
Comment 22 errata-xmlrpc 2013-01-07 22:34:06 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html

Note You need to log in before you can comment on or make changes to this bug.