Bug 984253 - All domain transitions related to pacemaker are missing
All domain transitions related to pacemaker are missing
Status: CLOSED DUPLICATE of bug 915151
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-13 22:33 EDT by Robert Scheck
Modified: 2013-07-15 04:52 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-15 04:52:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2013-07-13 22:33:05 EDT
Description of problem:
From my point of view, all domain transitions related to pacemaker are missing
so far in the SELinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch
pacemaker-1.1.8-7.el6.x86_64

How reproducible:
Set up cman, corosync and pacemaker and add some "random" resources, followed
by a "ps auxZ" and watch setroubleshoot-server.

Actual results:
unconfined_u:system_r:pacemaker_t:s0 root 17337 0.0  0.0 353156  3844 ?        Sl   04:08   0:00 /usr/bin/zarafa-licensed -c /etc/zarafa/licensed.cfg
unconfined_u:system_r:pacemaker_t:s0 root 17674 11.5  0.1 450092 47644 ?       Sl   04:08   2:22 /usr/bin/zarafa-server -c /etc/zarafa/server.cfg
unconfined_u:system_r:pacemaker_t:s0 root 17705 0.0  0.0 406112  6412 ?        Sl   04:08   0:00 /usr/bin/zarafa-monitor -c /etc/zarafa/monitor.cfg
unconfined_u:system_r:pacemaker_t:s0 root 17726 0.0  0.0 302656  4524 ?        Sl   04:08   0:00 /usr/bin/zarafa-spooler -c /etc/zarafa/spooler.cfg
unconfined_u:system_r:pacemaker_t:s0 root 17731 0.0  0.0 225152  1508 ?        S    04:08   0:00 /usr/bin/zarafa-dagent -d -c /etc/zarafa/dagent.cfg
unconfined_u:system_r:pacemaker_t:s0 root 31979 15.0  0.7 725256 191780 ?      Sl   04:10   2:54 /usr/bin/zarafa-search -c /etc/zarafa/search.cfg

unconfined_u:system_r:pacemaker_t:s0 apache 17527 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17528 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17530 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17531 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17532 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17533 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17534 0.0  0.0 379400 6672 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17535 0.0  0.0 379400 6672 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf

unconfined_u:system_r:pacemaker_t:s0 postfix 9114 0.0  0.0 78808 3176 ?        S    04:22   0:00 pickup -l -t fifo -u
unconfined_u:system_r:pacemaker_t:s0 postfix 9115 0.0  0.0 78988 3356 ?        S    04:22   0:00 qmgr -l -t fifo -u
unconfined_u:system_r:pacemaker_t:s0 postfix 10687 0.0  0.0 78804 3288 ?       S    04:23   0:00 tlsmgr -l -t unix -u
unconfined_u:system_r:pacemaker_t:s0 root 17572 0.0  0.0  78728  3260 ?        Ss   04:08   0:00 /usr/libexec/postfix/master

unconfined_u:system_r:pacemaker_t:s0 root 17403 0.0  0.0 106096  1356 ?        S    04:08   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
unconfined_u:system_r:pacemaker_t:s0 mysql 17526 10.9 11.6 10666628 2852536 ?  Sl   04:08   2:21 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock

unconfined_u:system_r:pacemaker_t:s0 root 17252 0.0  0.0 249084  1452 ?        Sl   04:08   0:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5

unconfined_u:system_r:pacemaker_t:s0 postfix 9114 0.0  0.0 78808 3176 ?        S    04:22   0:00 pickup -l -t fifo -u
unconfined_u:system_r:pacemaker_t:s0 postfix 9115 0.0  0.0 78988 3356 ?        S    04:22   0:00 qmgr -l -t fifo -u
unconfined_u:system_r:pacemaker_t:s0 postfix 10687 0.0  0.0 78804 3288 ?       S    04:23   0:00 tlsmgr -l -t unix -u
unconfined_u:system_r:pacemaker_t:s0 root 17572 0.0  0.0  78728  3260 ?        Ss   04:08   0:00 /usr/libexec/postfix/master

Expected results:
Proper domain transition.

Additional info:
It doesn't seem to make any difference if I use "lsb:<something>" or e.g.
"ocf:heartbeat:<something>" for services like Apache or Postfix.
Comment 1 Robert Scheck 2013-07-13 22:38:26 EDT
Due to the fact that drbdlinks restarts rsyslogd (needed in our case), it of 
course causes now a bunch of AVC denied for nearly every service and only less
services are working proper in general.

Cross-filed case 00903295 on the Red Hat customer portal.
Comment 3 Robert Scheck 2013-07-13 22:44:34 EDT
Typical symptoms for administrators are: Takeover of Apache using lsb:httpd
does not work and it is unable to bind to 0.0.0.0:80 or [::]:80. Restarting of
Postfix does not work once started via lsb:postfix, zillions of AVC denied for
setroubleshoot-server after rsyslogd is restarted via ocf:tummy:drbdlinks.
Comment 4 Robert Scheck 2013-07-14 09:34:46 EDT
As a workaround for the time being we have now added the following domain 
transitions to our own policy so far:

domtrans_pattern(pacemaker_t, mysqld_safe_exec_t, mysqld_safe_t)
dontaudit mysqld_safe_t pacemaker_var_lib_t:dir search;  # No need to allow!
domtrans_pattern(pacemaker_t, postfix_master_exec_t, postfix_t)
domtrans_pattern(pacemaker_t, httpd_exec_t, httpd_t)
domtrans_pattern(pacemaker_t, zarafa_server_exec_t, zarafa_server_t);
domtrans_pattern(pacemaker_t, zarafa_deliver_exec_t, zarafa_deliver_t);
domtrans_pattern(pacemaker_t, zarafa_monitor_exec_t, zarafa_monitor_t);
domtrans_pattern(pacemaker_t, zarafa_spooler_exec_t, zarafa_spooler_t);
domtrans_pattern(pacemaker_t, zarafa_indexer_exec_t, zarafa_indexer_t);
domtrans_pattern(pacemaker_t, syslogd_t, syslogd_exec_t);
domtrans_pattern(pacemaker_t, crond_t, crond_exec_t);
domtrans_pattern(pacemaker_t, bin_t, unconfined_t);
dontaudit syslogd_t pacemaker_t:fifo_file write;  # No need to allow? No idea?
Comment 5 Robert Scheck 2013-07-14 11:47:33 EDT
dontaudit mysqld_t pacemaker_var_lib_t:dir search;  # No need to allow!
Comment 6 Miroslav Grepl 2013-07-15 04:47:43 EDT
Yes, basically I am going to back port fixes from Fedora these days. And we will end up with

cluster_t domain for these administrative cluster services.


typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t };
Comment 7 Miroslav Grepl 2013-07-15 04:52:09 EDT

*** This bug has been marked as a duplicate of bug 915151 ***

Note You need to log in before you can comment on or make changes to this bug.