Bug 923246 - scsi fencing does not work in enforcing mode
Summary: scsi fencing does not work in enforcing mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks: 1004827
TreeView+ depends on / blocked
 
Reported: 2013-03-19 14:18 UTC by Jaroslav Kortus
Modified: 2014-09-30 23:34 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-209.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1004827 (view as bug list)
Environment:
Last Closed: 2013-11-21 10:20:46 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Jaroslav Kortus 2013-03-19 14:18:23 UTC
Description of problem:
Selinux policy is currently blocking proper scsi fencing cluster setup.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. setup cluster with scsi fencing
2. make sure you have at least one clustered VG
3. service cman start
  
Actual results:
denials

Expected results:
smooth operation, no denials

Additional info:
----
time->Tue Mar 19 15:13:46 2013
type=SYSCALL msg=audit(1363702426.879:1046): arch=c000003e syscall=21 success=yes exit=0 a0=205d820 a1=1 a2=0 a3=14 items=0 ppid=5135 pid=5144 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702426.879:1046): avc:  denied  { execute } for  pid=5144 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Tue Mar 19 15:13:46 2013
type=SYSCALL msg=audit(1363702426.879:1045): arch=c000003e syscall=4 success=yes exit=0 a0=205d820 a1=7fff7237b0b0 a2=7fff7237b0b0 a3=14 items=0 ppid=5135 pid=5144 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702426.879:1045): avc:  denied  { getattr } for  pid=5144 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Tue Mar 19 15:13:46 2013
type=SYSCALL msg=audit(1363702426.879:1047): arch=c000003e syscall=21 success=yes exit=0 a0=205d820 a1=4 a2=0 a3=14 items=0 ppid=5135 pid=5144 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702426.879:1047): avc:  denied  { read } for  pid=5144 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Tue Mar 19 15:13:46 2013
type=SYSCALL msg=audit(1363702426.880:1048): arch=c000003e syscall=59 success=yes exit=0 a0=205d820 a1=205ce30 a2=205cae0 a3=18 items=0 ppid=5144 pid=5145 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="cman_tool" exe="/usr/sbin/cman_tool" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702426.880:1048): avc:  denied  { execute_no_trans } for  pid=5145 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
type=AVC msg=audit(1363702426.880:1048): avc:  denied  { open } for  pid=5145 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Tue Mar 19 15:13:47 2013
type=SYSCALL msg=audit(1363702427.044:1049): arch=c000003e syscall=2 success=yes exit=3 a0=1da8ef0 a1=241 a2=1b6 a3=3491f1dc10 items=0 ppid=5108 pid=5135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702427.044:1049): avc:  denied  { open } for  pid=5135 comm="fence_scsi" name="fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1363702427.044:1049): avc:  denied  { write } for  pid=5135 comm="fence_scsi" name="fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Mar 19 15:13:47 2013
type=SYSCALL msg=audit(1363702427.044:1050): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffdbe370a0 a3=48 items=0 ppid=5108 pid=5135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702427.044:1050): avc:  denied  { ioctl } for  pid=5135 comm="fence_scsi" path="/var/run/cluster/fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Mar 19 15:13:47 2013
type=SYSCALL msg=audit(1363702427.044:1051): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=1d810a0 a2=1d810a0 a3=0 items=0 ppid=5108 pid=5135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702427.044:1051): avc:  denied  { getattr } for  pid=5135 comm="fence_scsi" path="/var/run/cluster/fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Mar 19 15:13:47 2013
type=SYSCALL msg=audit(1363702427.127:1052): arch=c000003e syscall=2 success=yes exit=3 a0=1da76d0 a1=442 a2=1b6 a3=3491f1dc10 items=0 ppid=5108 pid=5135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702427.127:1052): avc:  denied  { read append } for  pid=5135 comm="fence_scsi" name="fence_scsi.dev" dev=dm-0 ino=2623231 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Mar 19 15:14:07 2013
type=SYSCALL msg=audit(1363702447.672:1054): arch=c000003e syscall=21 success=yes exit=0 a0=1703820 a1=1 a2=0 a3=14 items=0 ppid=5544 pid=5548 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702447.672:1054): avc:  denied  { execute } for  pid=5548 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Tue Mar 19 15:14:07 2013
type=SYSCALL msg=audit(1363702447.672:1055): arch=c000003e syscall=21 success=yes exit=0 a0=1703820 a1=4 a2=0 a3=14 items=0 ppid=5544 pid=5548 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702447.672:1055): avc:  denied  { read } for  pid=5548 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Tue Mar 19 15:14:07 2013
type=SYSCALL msg=audit(1363702447.673:1056): arch=c000003e syscall=59 success=yes exit=0 a0=1703820 a1=1702e30 a2=1702ae0 a3=18 items=0 ppid=5548 pid=5549 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="cman_tool" exe="/usr/sbin/cman_tool" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702447.673:1056): avc:  denied  { execute_no_trans } for  pid=5549 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
type=AVC msg=audit(1363702447.673:1056): avc:  denied  { open } for  pid=5549 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Tue Mar 19 15:14:07 2013
type=SYSCALL msg=audit(1363702447.832:1057): arch=c000003e syscall=2 success=yes exit=3 a0=1d84ef0 a1=241 a2=1b6 a3=3491f1dc10 items=0 ppid=5508 pid=5544 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702447.832:1057): avc:  denied  { open } for  pid=5544 comm="fence_scsi" name="fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1363702447.832:1057): avc:  denied  { write } for  pid=5544 comm="fence_scsi" name="fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Mar 19 15:14:07 2013
type=SYSCALL msg=audit(1363702447.832:1058): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff8bc9d5c0 a3=48 items=0 ppid=5508 pid=5544 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702447.832:1058): avc:  denied  { ioctl } for  pid=5544 comm="fence_scsi" path="/var/run/cluster/fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Mar 19 15:14:07 2013
type=SYSCALL msg=audit(1363702447.832:1059): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=1d5d0a0 a2=1d5d0a0 a3=0 items=0 ppid=5508 pid=5544 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702447.832:1059): avc:  denied  { getattr } for  pid=5544 comm="fence_scsi" path="/var/run/cluster/fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Mar 19 15:14:07 2013
type=SYSCALL msg=audit(1363702447.914:1060): arch=c000003e syscall=2 success=yes exit=3 a0=1d836d0 a1=442 a2=1b6 a3=3491f1dc10 items=0 ppid=5508 pid=5544 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702447.914:1060): avc:  denied  { read append } for  pid=5544 comm="fence_scsi" name="fence_scsi.dev" dev=dm-0 ino=2623231 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Mar 19 15:14:07 2013
type=SYSCALL msg=audit(1363702447.671:1053): arch=c000003e syscall=4 success=yes exit=0 a0=1703820 a1=7fff069ff320 a2=7fff069ff320 a3=14 items=0 ppid=5544 pid=5548 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1363702447.671:1053): avc:  denied  { getattr } for  pid=5548 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file

Comment 2 Miroslav Grepl 2013-07-17 13:33:53 UTC
It will be needed to re-test it with selinux-policy-3.7.19-208.el6.

Comment 4 Miroslav Grepl 2013-07-22 09:51:15 UTC
Jaroslav,
thank you for testing. Please use -209 release.

Comment 5 Jaroslav Kortus 2013-07-24 14:49:57 UTC
# ausearch -m AVC
----
time->Wed Jul 24 16:47:54 2013
type=SYSCALL msg=audit(1374677274.236:47): arch=c000003e syscall=4 success=no exit=-13 a0=265f820 a1=7fffd15b47c0 a2=7fffd15b47c0 a3=14 items=0 ppid=7689 pid=7696 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1374677274.236:47): avc:  denied  { getattr } for  pid=7696 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Wed Jul 24 16:48:33 2013
type=SYSCALL msg=audit(1374677313.338:50): arch=c000003e syscall=21 success=yes exit=0 a0=1fbc820 a1=1 a2=0 a3=14 items=0 ppid=8072 pid=8079 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1374677313.338:50): avc:  denied  { execute } for  pid=8079 comm="sh" name="cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Wed Jul 24 16:48:33 2013
type=SYSCALL msg=audit(1374677313.338:49): arch=c000003e syscall=4 success=yes exit=0 a0=1fbc820 a1=7fff4614fad0 a2=7fff4614fad0 a3=14 items=0 ppid=8072 pid=8079 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1374677313.338:49): avc:  denied  { getattr } for  pid=8079 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Wed Jul 24 16:48:33 2013
type=SYSCALL msg=audit(1374677313.338:51): arch=c000003e syscall=21 success=yes exit=0 a0=1fbc820 a1=4 a2=0 a3=14 items=0 ppid=8072 pid=8079 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1374677313.338:51): avc:  denied  { read } for  pid=8079 comm="sh" name="cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
----
time->Wed Jul 24 16:48:33 2013
type=SYSCALL msg=audit(1374677313.339:52): arch=c000003e syscall=59 success=yes exit=0 a0=1fbc820 a1=1fbbe30 a2=1fbbae0 a3=18 items=0 ppid=8079 pid=8080 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cman_tool" exe="/usr/sbin/cman_tool" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1374677313.339:52): avc:  denied  { execute_no_trans } for  pid=8080 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
type=AVC msg=audit(1374677313.339:52): avc:  denied  { open } for  pid=8080 comm="sh" name="cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file


[root@light-02 audit]# rpm -q selinux-policy
selinux-policy-3.7.19-209.el6.noarch

Comment 6 Miroslav Grepl 2013-08-06 10:58:36 UTC
Should be fixes in the lastest policy.

Comment 12 errata-xmlrpc 2013-11-21 10:20:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.