984253 – All domain transitions related to pacemaker are missing

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 984253 - All domain transitions related to pacemaker are missing

Summary: All domain transitions related to pacemaker are missing

Keywords:
Status:	CLOSED DUPLICATE of bug 915151
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-14 02:33 UTC by Robert Scheck
Modified:	2018-12-03 19:20 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-15 08:52:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Robert Scheck 2013-07-14 02:33:05 UTC

Description of problem:
From my point of view, all domain transitions related to pacemaker are missing
so far in the SELinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch
pacemaker-1.1.8-7.el6.x86_64

How reproducible:
Set up cman, corosync and pacemaker and add some "random" resources, followed
by a "ps auxZ" and watch setroubleshoot-server.

Actual results:
unconfined_u:system_r:pacemaker_t:s0 root 17337 0.0  0.0 353156  3844 ?        Sl   04:08   0:00 /usr/bin/zarafa-licensed -c /etc/zarafa/licensed.cfg
unconfined_u:system_r:pacemaker_t:s0 root 17674 11.5  0.1 450092 47644 ?       Sl   04:08   2:22 /usr/bin/zarafa-server -c /etc/zarafa/server.cfg
unconfined_u:system_r:pacemaker_t:s0 root 17705 0.0  0.0 406112  6412 ?        Sl   04:08   0:00 /usr/bin/zarafa-monitor -c /etc/zarafa/monitor.cfg
unconfined_u:system_r:pacemaker_t:s0 root 17726 0.0  0.0 302656  4524 ?        Sl   04:08   0:00 /usr/bin/zarafa-spooler -c /etc/zarafa/spooler.cfg
unconfined_u:system_r:pacemaker_t:s0 root 17731 0.0  0.0 225152  1508 ?        S    04:08   0:00 /usr/bin/zarafa-dagent -d -c /etc/zarafa/dagent.cfg
unconfined_u:system_r:pacemaker_t:s0 root 31979 15.0  0.7 725256 191780 ?      Sl   04:10   2:54 /usr/bin/zarafa-search -c /etc/zarafa/search.cfg

unconfined_u:system_r:pacemaker_t:s0 apache 17527 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17528 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17530 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17531 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17532 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17533 0.0  0.0 379400 6676 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17534 0.0  0.0 379400 6672 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf
unconfined_u:system_r:pacemaker_t:s0 apache 17535 0.0  0.0 379400 6672 ?       S    04:08   0:00 /usr/sbin/httpd -DSTATUS -f /etc/httpd/conf/httpd.conf

unconfined_u:system_r:pacemaker_t:s0 postfix 9114 0.0  0.0 78808 3176 ?        S    04:22   0:00 pickup -l -t fifo -u
unconfined_u:system_r:pacemaker_t:s0 postfix 9115 0.0  0.0 78988 3356 ?        S    04:22   0:00 qmgr -l -t fifo -u
unconfined_u:system_r:pacemaker_t:s0 postfix 10687 0.0  0.0 78804 3288 ?       S    04:23   0:00 tlsmgr -l -t unix -u
unconfined_u:system_r:pacemaker_t:s0 root 17572 0.0  0.0  78728  3260 ?        Ss   04:08   0:00 /usr/libexec/postfix/master

unconfined_u:system_r:pacemaker_t:s0 root 17403 0.0  0.0 106096  1356 ?        S    04:08   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
unconfined_u:system_r:pacemaker_t:s0 mysql 17526 10.9 11.6 10666628 2852536 ?  Sl   04:08   2:21 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock

unconfined_u:system_r:pacemaker_t:s0 root 17252 0.0  0.0 249084  1452 ?        Sl   04:08   0:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5

unconfined_u:system_r:pacemaker_t:s0 postfix 9114 0.0  0.0 78808 3176 ?        S    04:22   0:00 pickup -l -t fifo -u
unconfined_u:system_r:pacemaker_t:s0 postfix 9115 0.0  0.0 78988 3356 ?        S    04:22   0:00 qmgr -l -t fifo -u
unconfined_u:system_r:pacemaker_t:s0 postfix 10687 0.0  0.0 78804 3288 ?       S    04:23   0:00 tlsmgr -l -t unix -u
unconfined_u:system_r:pacemaker_t:s0 root 17572 0.0  0.0  78728  3260 ?        Ss   04:08   0:00 /usr/libexec/postfix/master

Expected results:
Proper domain transition.

Additional info:
It doesn't seem to make any difference if I use "lsb:<something>" or e.g.
"ocf:heartbeat:<something>" for services like Apache or Postfix.

Comment 1 Robert Scheck 2013-07-14 02:38:26 UTC

Due to the fact that drbdlinks restarts rsyslogd (needed in our case), it of 
course causes now a bunch of AVC denied for nearly every service and only less
services are working proper in general.

Cross-filed case 00903295 on the Red Hat customer portal.

Comment 3 Robert Scheck 2013-07-14 02:44:34 UTC

Typical symptoms for administrators are: Takeover of Apache using lsb:httpd
does not work and it is unable to bind to 0.0.0.0:80 or [::]:80. Restarting of
Postfix does not work once started via lsb:postfix, zillions of AVC denied for
setroubleshoot-server after rsyslogd is restarted via ocf:tummy:drbdlinks.

Comment 4 Robert Scheck 2013-07-14 13:34:46 UTC

As a workaround for the time being we have now added the following domain 
transitions to our own policy so far:

domtrans_pattern(pacemaker_t, mysqld_safe_exec_t, mysqld_safe_t)
dontaudit mysqld_safe_t pacemaker_var_lib_t:dir search;  # No need to allow!
domtrans_pattern(pacemaker_t, postfix_master_exec_t, postfix_t)
domtrans_pattern(pacemaker_t, httpd_exec_t, httpd_t)
domtrans_pattern(pacemaker_t, zarafa_server_exec_t, zarafa_server_t);
domtrans_pattern(pacemaker_t, zarafa_deliver_exec_t, zarafa_deliver_t);
domtrans_pattern(pacemaker_t, zarafa_monitor_exec_t, zarafa_monitor_t);
domtrans_pattern(pacemaker_t, zarafa_spooler_exec_t, zarafa_spooler_t);
domtrans_pattern(pacemaker_t, zarafa_indexer_exec_t, zarafa_indexer_t);
domtrans_pattern(pacemaker_t, syslogd_t, syslogd_exec_t);
domtrans_pattern(pacemaker_t, crond_t, crond_exec_t);
domtrans_pattern(pacemaker_t, bin_t, unconfined_t);
dontaudit syslogd_t pacemaker_t:fifo_file write;  # No need to allow? No idea?

Comment 5 Robert Scheck 2013-07-14 15:47:33 UTC

dontaudit mysqld_t pacemaker_var_lib_t:dir search;  # No need to allow!

Comment 6 Miroslav Grepl 2013-07-15 08:47:43 UTC

Yes, basically I am going to back port fixes from Fedora these days. And we will end up with

cluster_t domain for these administrative cluster services.


typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t };

Comment 7 Miroslav Grepl 2013-07-15 08:52:09 UTC


*** This bug has been marked as a duplicate of bug 915151 ***

Note You need to log in before you can comment on or make changes to this bug.