924843 – Various AVC denieds related to corosync policy for heartbeat

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 924843 - Various AVC denieds related to corosync policy for heartbeat

Summary: Various AVC denieds related to corosync policy for heartbeat

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	835616 960054 1003783
TreeView+	depends on / blocked

Reported:	2013-03-22 15:45 UTC by Robert Scheck
Modified:	2018-12-03 18:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-208.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1003783 (view as bug list)
Environment:
Last Closed:	2013-11-21 10:21:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	167183	0	None	None	None	Never
Red Hat Product Errata	RHBA-2013:1598	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 21:39:24 UTC

Description Robert Scheck 2013-03-22 15:45:01 UTC

Description of problem:
As per bug #836311 comment #30 this has been moved to this separate RHBZ:

type=AVC msg=audit(1363694647.207:432387): avc:  denied  { search } for  pid=32588 comm="mysqld_safe" name="root" dev=sda1 ino=1314605 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0
tclass=dir
type=SYSCALL msg=audit(1363694647.207:432387): arch=x86_64 syscall=stat success=no exit=EACCES a0=4a3b4b a1=7fff999df260 a2=7fff999df260 a3=39e5d37110 items=0 ppid=7112 pid=32588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld_safe exe=2F62696E2F62617368202864656C6574656429 subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

type=AVC msg=audit(1363694697.319:96081): avc:  denied  { search } for  pid=20910 comm="mysqld_safe" name="heartbeat" dev=sda1 ino=3153187 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1363694697.319:96081): arch=x86_64 syscall=stat success=no exit=EACCES a0=1c6fd80 a1=7fffd37a7940 a2=7fffd37a7940 a3=4 items=0 ppid=20878 pid=20910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld_safe exe=/bin/bash subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

type=AVC msg=audit(1363694697.836:96126): avc:  denied  { search } for  pid=21017 comm="mysqld" name="root" dev=sda1 ino=3153191 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1363694697.836:96126): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fff733d7860 a1=7fff733d47c0 a2=7fff733d47c0 a3=fffffffffffffffd items=0 ppid=20910 pid=21017 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null)

type=AVC msg=audit(1363623429.464:75833): avc:  denied  { search } for  pid=4148 comm="squid" name="root" dev=sda1 ino=394795 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:rgmanager_var_lib_t:s0 tclass=dir

type=SYSCALL msg=audit(1363623429.464:75833): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff5184dad0 a1=7fff5184ba30 a2=7fe12b610010 a3=7fff5184d840 items=0 ppid=4147 pid=4148 auid=4294967295 uid=0 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.3.noarch
selinux-policy-targeted-3.7.19-195.el6_4.3.noarch

How reproducible:
Everytime, heartbeat v1 setup as described in bug #836311 with latest SELinux
policy from RHEL 6.4.
  
Actual results:
Some AVC denied.

Expected results:
No AVC denieds.

Comment 1 Robert Scheck 2013-03-22 15:53:04 UTC

This is cross-referenced with Red Hat customer portal, case 00668208

Comment 2 Miroslav Grepl 2013-03-25 09:59:26 UTC

Robert,
does it only want to search these dirs?

Comment 3 Robert Scheck 2013-03-27 17:24:17 UTC

Miroslav, how do I figure out this best? This is the only AVC denieds as it
seems at least. Suggestions how to track down? Try dontaudits, enforce and
see and try if it is as expected? Unfortunately nearly all of the affected
systems are productive...

Comment 4 Miroslav Grepl 2013-04-03 08:30:31 UTC

Probably the best is make a domain as permissive domains.

# semanage permissive -a DOMAIN

re-test

# ausearch -m avc -ts recent
# semanage permissive -d DOMAIN


But actually no need in this case. I am adding fixes to Fedora and will back port them.

Comment 5 Robert Scheck 2013-04-16 19:05:20 UTC

I think it would be enough to make them dontaudit, because it seems to work
fine how it is (enforced).

Comment 15 errata-xmlrpc 2013-11-21 10:21:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.