Bug 985442
| Summary: | Please create (working) policy for pacemaker | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Kurik <jkurik> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 6.4 | CC: | abeekhof, bubble, cfeist, dwalsh, fdinitto, internet+rhbz, jkortus, jruemker, jsvarova, ksrot, lnovich, mgrepl, mmalik, mtruneck, pm-eus, redhat-bugzilla, robert.scheck | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.7.19-195.el6_4.16 | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, the pacemaker resource manager did not have its own policy defined and started in the initrc_t domain. With this update, the wrong context has been fixed and proper permissions have been set for pacemaker, thus fixing the bug.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1021635 (view as bug list) | Environment: | ||
| Last Closed: | 2013-11-01 13:47:21 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 915151 | |||
| Bug Blocks: | 1021635 | |||
|
Description
Jan Kurik
2013-07-17 13:43:05 UTC
commented in https://bugzilla.redhat.com/show_bug.cgi?id=915151#c38. I'd like to have only comments related to 6.4.z version here after it's ready. I'll comment 6.5 in the parent bug 915151. It looks there is a pacemaker bug. How is /var/lib/pacemaker created? Is it a part of rpm payload? # ls -dZ /var/lib/pacemaker/ drwxr-x---. hacluster haclient system_u:object_r:var_lib_t:s0 /var/lib/pacemaker/ # matchpathcon /var/lib/pacemaker /var/lib/pacemaker system_u:object_r:cluster_var_lib_t:s0 So I believe we are done with pacemaker+SELinux and it needs to be fixed in the pacemaker pkg (rgmanager is a different issue). (In reply to Miroslav Grepl from comment #27) > It looks there is a pacemaker bug. How is /var/lib/pacemaker created? Is it > a part of rpm payload? > > # ls -dZ /var/lib/pacemaker/ > drwxr-x---. hacluster haclient system_u:object_r:var_lib_t:s0 > /var/lib/pacemaker/ > # matchpathcon /var/lib/pacemaker > /var/lib/pacemaker system_u:object_r:cluster_var_lib_t:s0 > > So I believe we are done with pacemaker+SELinux and it needs to be fixed in > the pacemaker pkg (rgmanager is a different issue). Can you please elaborate on how this should be fixed? Maybe the devs know, but I'd like to have it here to speed things up. Diky, J. Well I believe pacemaker devs know how this directory is created which we need to know to fix it. Either restorecon will be needed or it should be created in the payload. Who does /var/run/cluster/fence_scsi* create? (In reply to Miroslav Grepl from comment #30) > Well I believe pacemaker devs know how this directory is created which we > need to know to fix it. Either restorecon will be needed or it should be > created in the payload. [fabbione@lilith rhel]$ rpm -q -p pacemaker-1.1.10-1.el6_4.4.x86_64.rpm -l |grep var/lib /var/lib/pacemaker /var/lib/pacemaker/blackbox /var/lib/pacemaker/cib /var/lib/pacemaker/cores /var/lib/pacemaker/pengine it's part of the pacemaker rpm payload. rpm -q -f /var/lib/pacemaker is the right query btw. (In reply to Miroslav Grepl from comment #31) > Who does /var/run/cluster/fence_scsi* create? fence_scsi does. Same as before. (In reply to Fabio Massimo Di Nitto from comment #33) > (In reply to Miroslav Grepl from comment #30) > > Well I believe pacemaker devs know how this directory is created which we > > need to know to fix it. Either restorecon will be needed or it should be > > created in the payload. > > [fabbione@lilith rhel]$ rpm -q -p pacemaker-1.1.10-1.el6_4.4.x86_64.rpm -l > |grep var/lib > /var/lib/pacemaker > /var/lib/pacemaker/blackbox > /var/lib/pacemaker/cib > /var/lib/pacemaker/cores > /var/lib/pacemaker/pengine > > it's part of the pacemaker rpm payload. > > rpm -q -f /var/lib/pacemaker is the right query btw. I don't think rgmanager works correctly without the latest SELinux changes (easy to find out ... just re-test it with the older z-stream policy) cluster_t == rgmanager_t Ok, if I remove /var/lib/pacemaker and run # yum reinstall pacemaker # ls -dZ /var/lib/pacemaker then I see the correct labeling. So maybe a test issue? (In reply to Fabio Massimo Di Nitto from comment #34) > (In reply to Miroslav Grepl from comment #31) > > Who does /var/run/cluster/fence_scsi* create? > > fence_scsi does. Same as before. Ok, a new bug here. We need to add labeling for fence_scsi and label it as fenced_exec_t. Ok and I believe where is the problem with rgmanger+resource scripts. Basically generate_name_for_pid_file() is use. It creates pid files with incorrect labeling. So we need to run restorecon here. The same for pid_dirs() and so on. So this is a bug in the resource-agents pkg. (In reply to Miroslav Grepl from comment #37) > Ok and I believe where is the problem with rgmanger+resource scripts. > Basically > > generate_name_for_pid_file() > > is use. It creates pid files with incorrect labeling. So we need to run > restorecon here. The same for pid_dirs() and so on. > > So this is a bug in the resource-agents pkg. Hardly the case since those scripts have been used by us and customers for 5 point releases of RHEL6. How is it possible that it come up only now? So far, what I see, from a user perspective is: latest 6.4.z works fine, I update selinux-policy and hell breaks loose. Since the resource-agents scripts have not changed in that area, how can I explain that? Confirming that the same test (cman+httpd) runs OK on latest 6.4.z: unconfined_u:system_r:corosync_t:s0 corosync -f unconfined_u:system_r:fenced_t:s0 fenced unconfined_u:system_r:dlm_controld_t:s0 dlm_controld unconfined_u:system_r:gfs_controld_t:s0 gfs_controld unconfined_u:system_r:cmirrord_t:s0 cmirrord unconfined_u:system_r:clvmd_t:s0 clvmd -T30 unconfined_u:system_r:rgmanager_t:s0 rgmanager unconfined_u:system_r:rgmanager_t:s0 \_ rgmanager unconfined_u:system_r:httpd_t:s0 /usr/sbin/httpd -Dapache -d /etc/httpd -f /etc/cluster/apache/apache:apache/httpd.conf -k start [root@virt-039 ~]# ausearch -m AVC <no matches> [root@virt-039 ~]# rpm -q selinux-policy selinux-policy-3.7.19-195.el6_4.12.noarch We have additional fixes in the selinux-policy-3.7.19-195.el6_4.16 build. But now we need to run a lot of cluster tests related to cman, heartbeat, corosync to see that we don't have a regression. Basically resource scripts creates /var/run/cluster/<servicename> dirs. But these pid dirs were created as cluster_var_run_t against var_run_t (as we had it without cluster merge). So I needed to remove a transition rule which was not a part of rgmanager policy to be sure that all dirs in /var/run/cman are created with var_run_t => we need to be sure all content in /var/run/cluster has a correct label. 08:56 < fabbione> mgrepl: i am satisfied with all the tests so far and the latest builds you gave to me.. 08:56 < fabbione> no AVC cluster related on both rgmanager and pacemkaer 08:56 < fabbione> both 6.5 and 6.4.z no iscsi issues with selinux-policy-3.7.19-195.el6_4.17.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1491.html |