Bug 924843 - Various AVC denieds related to corosync policy for heartbeat
Summary: Various AVC denieds related to corosync policy for heartbeat
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks: 835616 960054 1003783
TreeView+ depends on / blocked
 
Reported: 2013-03-22 15:45 UTC by Robert Scheck
Modified: 2018-12-03 18:32 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-208.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1003783 (view as bug list)
Environment:
Last Closed: 2013-11-21 10:21:08 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 167183 0 None None None Never
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Robert Scheck 2013-03-22 15:45:01 UTC 
Description of problem:
As per bug #836311 comment #30 this has been moved to this separate RHBZ:

type=AVC msg=audit(1363694647.207:432387): avc:  denied  { search } for  pid=32588 comm="mysqld_safe" name="root" dev=sda1 ino=1314605 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0
tclass=dir
type=SYSCALL msg=audit(1363694647.207:432387): arch=x86_64 syscall=stat success=no exit=EACCES a0=4a3b4b a1=7fff999df260 a2=7fff999df260 a3=39e5d37110 items=0 ppid=7112 pid=32588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld_safe exe=2F62696E2F62617368202864656C6574656429 subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

type=AVC msg=audit(1363694697.319:96081): avc:  denied  { search } for  pid=20910 comm="mysqld_safe" name="heartbeat" dev=sda1 ino=3153187 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1363694697.319:96081): arch=x86_64 syscall=stat success=no exit=EACCES a0=1c6fd80 a1=7fffd37a7940 a2=7fffd37a7940 a3=4 items=0 ppid=20878 pid=20910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld_safe exe=/bin/bash subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

type=AVC msg=audit(1363694697.836:96126): avc:  denied  { search } for  pid=21017 comm="mysqld" name="root" dev=sda1 ino=3153191 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1363694697.836:96126): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fff733d7860 a1=7fff733d47c0 a2=7fff733d47c0 a3=fffffffffffffffd items=0 ppid=20910 pid=21017 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null)

type=AVC msg=audit(1363623429.464:75833): avc:  denied  { search } for  pid=4148 comm="squid" name="root" dev=sda1 ino=394795 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir

type=SYSCALL msg=audit(1363623429.464:75833): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff5184dad0 a1=7fff5184ba30 a2=7fe12b610010 a3=7fff5184d840 items=0 ppid=4147 pid=4148 auid=4294967295 uid=0 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.3.noarch
selinux-policy-targeted-3.7.19-195.el6_4.3.noarch

How reproducible:
Everytime, heartbeat v1 setup as described in bug #836311 with latest SELinux
policy from RHEL 6.4.
  
Actual results:
Some AVC denied.

Expected results:
No AVC denieds.
Comment 1 Robert Scheck 2013-03-22 15:53:04 UTC 
This is cross-referenced with Red Hat customer portal, case 00668208
Comment 2 Miroslav Grepl 2013-03-25 09:59:26 UTC 
Robert,
does it only want to search these dirs?
Comment 3 Robert Scheck 2013-03-27 17:24:17 UTC 
Miroslav, how do I figure out this best? This is the only AVC denieds as it
seems at least. Suggestions how to track down? Try dontaudits, enforce and
see and try if it is as expected? Unfortunately nearly all of the affected
systems are productive...
Comment 4 Miroslav Grepl 2013-04-03 08:30:31 UTC 
Probably the best is make a domain as permissive domains.

# semanage permissive -a DOMAIN

re-test

# ausearch -m avc -ts recent
# semanage permissive -d DOMAIN


But actually no need in this case. I am adding fixes to Fedora and will back port them.
Comment 5 Robert Scheck 2013-04-16 19:05:20 UTC 
I think it would be enough to make them dontaudit, because it seems to work
fine how it is (enforced).
Comment 15 errata-xmlrpc 2013-11-21 10:21:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.