Created attachment 631583 [details] Proposed patch for selinux-policy. After fixing [bug 865588] (planned for 6.4), which allowed cluster-cim package (CIM provider of cluster status) to be used at all, AVCs connected with access to these unix sockets were identified: A. /var/run/clumond.sock (provided by modclusterd) type=AVC msg=audit(1350478773.891:62): avc: denied { write } for pid=1583 comm="cimprovagt" name="clumond.sock" dev=vda2 ino=144768 scontext=system_u:system_r:pegasus_t:s0 tcontext=unconfined_u:object_r:ricci_modcluster_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1350478800.780:66): avc: denied { connectto } for pid=1583 comm="cimprovagt" path="/var/run/clumond.sock" scontext=system_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:ricci_modclusterd_t:s0 tclass=unix_stream_socket B. /var/run/cman_client (provided by corosync) type=AVC msg=audit(1350914395.838:5295): avc: denied { write } for pid=9679 comm="cimprovagt" name="cman_client" dev=vda2 ino=153616 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1350914395.838:5295): avc: denied { connectto } for pid=9679 comm="cimprovagt" path="/var/run/cman_client" scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=unix_stream_socket For a simple reproducer, please see mentioned [bug 865588] (I am yet to add steps to use http instead of https, which did not work for me). Attached is the patch to cover both, successfully tested in my 6.3 environment. Also please note that part of the planned solution for [bug 849242] is to, by the way, remove direct use of B. /var/run/cman_client. This is what the patch states in the comment. I'll notify when this happens (6.5+).
[bug 865588 comment 6] <-- proper reproducer
I added fixes to Fedora. Will backport.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html