Bug 962803 - Wrong selinux context in clustered samba
Wrong selinux context in clustered samba
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: resource-agents (Show other bugs)
6.6
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: David Vossel
Cluster QE
: EasyFix, Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-14 09:11 EDT by Josef Zimek
Modified: 2014-05-09 16:39 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-09 16:39:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (1.29 KB, patch)
2013-09-05 12:03 EDT, Jose Castillo
no flags Details | Diff

  None (edit)
Description Josef Zimek 2013-05-14 09:11:54 EDT
Description of problem:

cluster manager copies the smb.conf file from /etc/samba/smb.conf to /etc/cluster/samba/samba:Software/smb.conf before starting this as a service in the cluster. However by copying the file it changes the selinux context to system_u:object_r:cluster_conf_t:s0 which is incorrect for the samba process. 
Since /etc/cluster/samba/samba:Software/smb.conf is temporary it is hard to see that it has the wrong context

When selinux is disabled everything works fine. When enabled:

---
May  1 08:13:10 linsv300 rgmanager[9227]: Starting disabled service service:Linux
May  1 08:13:11 linsv300 rgmanager[26751]: [ip] Adding IPv4 address 145.70.80.251/24 to eth0
May  1 08:13:14 linsv300 rgmanager[26826]: [ip] Asking lockd to drop locks (pid 10473)
May  1 08:13:15 linsv300 ntpd[1896]: Listening on interface #10 eth0, 145.70.80.251#123 Enabled
May  1 08:13:18 linsv300 rgmanager[26951]: [lvm] Activating lincl000_datavg/lv_software
May  1 08:13:20 linsv300 rgmanager[26982]: [lvm] Making resilient : lvchange -ay lincl000_datavg/lv_software
May  1 08:13:21 linsv300 rgmanager[27007]: [lvm] Resilient command: lvchange -ay lincl000_datavg/lv_software --config devices{filter=["a|/dev/vda2|","a|/dev/vdb1|","a|/d
May  1 08:13:21 linsv300 lvm[1211]: Monitoring mirror device lincl000_datavg-lv_software for events.
May  1 08:13:22 linsv300 rgmanager[27304]: [fs] mounting /dev/dm-4 on /nfs4exports/nfstest
May  1 08:13:22 linsv300 rgmanager[27326]: [fs] mount   /dev/dm-4 /nfs4exports/nfstest
May  1 08:13:22 linsv300 kernel: EXT4-fs (dm-4): mounted filesystem with ordered data mode. Opts:
May  1 08:13:23 linsv300 rgmanager[27388]: [nfsclient] Adding export: 145.70.0.0/16:/nfs4exports/nfstest (fsid=350,rw)
May  1 08:13:23 linsv300 rgmanager[27479]: [samba] Starting Service samba:Software
May  1 08:13:23 linsv300 rgmanager[27506]: [samba] Checking Non-Existence of PID File /var/run/cluster/samba/samba:Software/nmbd-smb.conf.pid [samba:Software] > Failed -
May  1 08:13:23 linsv300 rgmanager[27528]: [samba] Starting Service samba:Software > Failed
May  1 08:13:23 linsv300 rgmanager[9227]: start on samba "Software" returned 1 (generic error)
May  1 08:13:23 linsv300 rgmanager[9227]: #68: Failed to start service:Linux; return value: 1
---

After creating a service for a clustered samba server, the service won't start because of selinux permissions.
smbd.log says:
[2013/04/23 14:48:58,  0] smbd/server.c:1041(main)
  error opening config file
ausearch -m avc:
time->Tue Apr 23 14:48:58 2013
type=PATH msg=audit(1366721338.983:84595): item=1 name=(null) inode=24744 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cluster_conf_t:s0
type=PATH msg=audit(1366721338.983:84595): item=0 name="/etc/cluster/samba/samba:Software/smb.conf"
type=CWD msg=audit(1366721338.983:84595):  cwd="/"
type=SYSCALL msg=audit(1366721338.983:84595): arch=c000003e syscall=2 success=no exit=-13 a0=7f0af01259b0 a1=0 a2=0 a3=78 items=2 ppid=17713 pid=18007 auid=1139 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=942 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1366721338.983:84595): avc:  denied  { search } for  pid=18007 comm="smbd" name="cluster" dev=dm-0 ino=24744 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:cluster_conf_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
RHEL6.4


How reproducible:
always

Steps to Reproduce:
1.SELinux enforcing
2.smb as a cluster service
3.start the service
  
Actual results:


Expected results:


Additional info:
 
There is a Bug 907898 for basically the same issue from same customer when using clustered NFS + selinux:
"Please be advised that the nfsserver.sh script from resource agents-3.9.2-21.el6 is using cp -f (without the "a" option) in the start_locking routine. We feel this should be consistent for nfsv3 and nfs4, so the svclib_nfslock.sh script should also use the cp -f instead of cp -af as stated earlier."
Comment 2 Jose Castillo 2013-09-05 12:02:09 EDT
I've been doing some tests, and even when you try to change the context, SELinux complains:

[root@pe1950-4 ~]# semanage fcontext -a -t samba_etc_t "/etc/cluster/samba/samba:Software(/.*)?""

[root@pe1950-4 ~]# restorecon -R -v /etc/cluster/samba/samba\:Software/
restorecon reset /etc/cluster/samba/samba:Software context unconfined_u:object_r:cluster_conf_t:s0->unconfined_u:object_r:samba_etc_t:s0
[root@pe1950-4 ~]# chcon -v --type=samba_etc_t "/etc/cluster/samba/samba:Software"
[root@pe1950-4 ~]# ls -lZ /etc/cluster/samba
drwxr-xr-x. root root unconfined_u:object_r:samba_etc_t:s0 samba:Software

[root@pe1950-4 ~]# clusvcadm -e Linux
Local machine trying to enable service:Linux...

We have the following in the logs:

type=AVC msg=audit(1378397851.301:40435): avc:  denied  { search } for  pid=31166 comm="smbd" name="cluster" dev=dm-0 ino=396762 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:cluster_conf_t:s0 tclass=dir

type=SYSCALL msg=audit(1378397851.301:40435): arch=c000003e syscall=4 success=no exit=-13 a0=7f07abd60ac0 a1=7fff20755c60 a2=7fff20755c60 a3=7fff207559e0 items=0 ppid=30892 pid=31166 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)

type=AVC msg=audit(1378397851.301:40436): avc:  denied  { search } for  pid=31166 comm="smbd" name="cluster" dev=dm-0 ino=396762 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:cluster_conf_t:s0 tclass=dir

type=SYSCALL msg=audit(1378397851.301:40436): arch=c000003e syscall=2 success=no exit=-13 a0=7f07abd60ac0 a1=0 a2=0 a3=78 items=0 ppid=30892 pid=31166 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)

Failure

If I understand that output correctly, it seems that the problem is accessing the parent directory, /etc/cluster. I think that if we change the context of this directory, other cluster subsystems may stop working. For this reason I tried a new approach, which is to move the samba.conf file outside of /etc/cluster and into /etc/samba/. With the patch I'm trying, the configurationfile is created inside the following directory:

[root@pe1950-4 ~]# ls -lZ /etc/samba/samba\:Software/
-rw-r--r--. root root unconfined_u:object_r:samba_etc_t:s0 smb.conf

Where "Software" is the name of the service. As you can see, the context in this case is the right one for smbd to start the service, since it inherits it from the parent directory.
Comment 3 Jose Castillo 2013-09-05 12:03:16 EDT
Created attachment 794350 [details]
Proposed patch
Comment 5 David Vossel 2014-04-02 15:53:31 EDT
Your patch would work, but it is a slight change in behavior. The /var/run/cluster directory is temporary and will reinitialize on reboot. /etc/samba is not temporary.

I'd prefer the selinux policy to be updated so that the smbd daemon can access the /var/run/cluster/samba directory rather than making a special condition for this.

-- Vossel
Comment 6 Cedric Buissart 2014-04-24 15:12:54 EDT
Good news!

This has been corrected in 6.5 SELinux policies :

From smbd_selinux(8) :
---8<---
MANAGED FILES
[...]
       cluster_conf_t

            /etc/cluster(/.*)?
--->8---

We can close the BZ ... but I am not sure about the resolution, probably "current release" ?

Customer and I confirmed that it seems to work fine.
Comment 7 David Vossel 2014-04-24 16:44:33 EDT
(In reply to Cedric Buissart from comment #6)
> Good news!
.
.
.
> We can close the BZ ... but I am not sure about the resolution, probably
> "current release" ?
> 
> Customer and I confirmed that it seems to work fine.


Awesome! is there a bug we can reference this to?  We could just mark this as a duplicate of whatever bug was filed for the selinux policy fix.

-- Vossel
Comment 8 Cedric Buissart 2014-04-25 04:52:59 EDT
... I had feared you would ask :p

Answer is : I dont know.

I had spent quite some time searching (dist-git, BZ, source RPM), but I did not get a hand on how they manage the patches. It seems that the patches are stored in 1 huge patch file.
So I have no BZ, or patch to show you : these lines in the man page just appeared.
Comment 9 David Vossel 2014-05-09 16:39:46 EDT
(In reply to Cedric Buissart from comment #6)
> Good news!
> 
> This has been corrected in 6.5 SELinux policies :
> 
> From smbd_selinux(8) :
> ---8<---
> MANAGED FILES
> [...]
>        cluster_conf_t
> 
>             /etc/cluster(/.*)?
> --->8---
> 
> We can close the BZ ... but I am not sure about the resolution, probably
> "current release" ?
> 
> Customer and I confirmed that it seems to work fine.

Since you all verified this in 6.5. Closing with "current release" works for me.

Note You need to log in before you can comment on or make changes to this bug.