Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 16th July 2010, 10:30 PM
leeatnwi Offline
Registered User
 
Join Date: Jun 2010
Posts: 13
linuxfedorafirefox
SElinux and aisecex troubles ( openais )

Hi all,

I am in the beginning to middle of setting up a cluster on two Fedora 11 machines and SElinux is stopping my openais from starting up. I really do not want to disable SElinux all together, I want to add an exception in the Boolean section if at all possible. (SElinux alert below)

I would like to thank anyone ahead of time for any help, and thanks to everyone for their time,

Lee

Code:
Summary:

SELinux is preventing aisexec (ccs_t) "read" proc_t.

Detailed Description:

SELinux denied access requested by aisexec. It is not expected that this access
is required by aisexec and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ccs_t:s0
Target Context                system_u:object_r:proc_t:s0
Target Objects                meminfo [ file ]
Source                        aisexec
Source Path                   /bin/bash
Port                          <Unknown>
Host                          server1.nwi.local
Source RPM Packages           bash-4.0-9.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-98.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     server1.nwi.local
Platform                      Linux server1.nwi.local
                              2.6.30.10-105.2.23.fc11.x86_64 #1 SMP Thu Feb 11
                              07:06:34 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 16 Jul 2010 04:12:11 PM CDT
Last Seen                     Fri 16 Jul 2010 04:12:11 PM CDT
Local ID                      49a7aab7-fc4d-4feb-90d8-cc8d7a893846
Line Numbers                  

Raw Audit Messages            

node=server1.nwi.local type=AVC msg=audit(1279314731.33:42): avc:  denied  { read } for  pid=4422 comm="aisexec" name="meminfo" dev=proc ino=4026531988 scontext=unconfined_u:system_r:ccs_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file

node=server1.nwi.local type=SYSCALL msg=audit(1279314731.33:42): arch=c000003e syscall=2 success=no exit=-13 a0=35ae533c68 a1=0 a2=1b6 a3=238 items=0 ppid=4412 pid=4422 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="aisexec" exe="/bin/bash" subj=unconfined_u:system_r:ccs_t:s0 key=(null)
Reply With Quote
  #2  
Old 16th July 2010, 11:11 PM
unSpawn
Guest
 
Posts: n/a
linuxopera
Re: SElinux and aisecex troubles ( openais )

The only (seemingly innocuous) rule 'audit2allow' shows is "allow ccs_t proc_t:file read;".
Adding this to your local policy file might work.
Reply With Quote
  #3  
Old 16th July 2010, 11:14 PM
bodhi.zazen Offline
Registered User
 
Join Date: Jul 2006
Location: Montana
Posts: 731
windows_xp_2003firefox
Re: SElinux and aisecex troubles ( openais )

Sometimes I find it helps to put selinux into permissive mode, run your service / application for a bit, then run audit2allow and generate a policy.

Otherwise, sometimes you will need to re-write the policy as additional errors crop up.
__________________
If it is not broken, tweak it... If you break Fedora you get to keep both pieces :p
Reply With Quote
  #4  
Old 16th July 2010, 11:23 PM
SlowJet Offline
Registered User
 
Join Date: Jan 2005
Posts: 5,048
linuxmozilla
Re: SElinux and aisecex troubles ( openais )

See Bug 224190 - old and never fixed.

1. Check the comments about the ctrl stuf.

2. Is cman being started correctly or some non-standard way?

3. It is getting a segfault and the avc's are from the dump?


Also google for (openais selinux)
You could try a relabel

fixfiles onboot
reboot

or

touch ./autorelabel
reboot

or

use restorecon
man restorecon

try a dryrun

restorecon file(s)spec -n -vv

restorecon /bin/bash/meminfo -n -vv

SJ
__________________
Do the Math
Reply With Quote
  #5  
Old 17th July 2010, 01:47 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfedorafirefox
Re: SElinux and aisecex troubles ( openais )

The problem is of a different nature in my view.

It appears that a process that was running in the ccs_t domain ran aisexec.

aisexec should however have its own domain.

ccs_t is not allowed to run aisexec if this aisexec domain is implemented

css_t can only run generic bin programs instead.

This leads me to the following:

1. i suspect fedora 11 selinux-policy does not have policy for aisexec implemented.

2. But even in the latest rawhide policy ccs_t is not allowed to run aisexec.

3. In your AVC denial it is aisexec that is trying to read system state.

Considering:

1. Fedora 11 is EOL?
2. if 1. is not true, then why was aisexec policy not backported to F11.
3. if aisexec WAS backported to F11.: is aisexec executable mislabelled?

$ matchpathcon /usr/sbin/aisexec
/usr/sbin/aisexec system_u:object_r:aisexec_exec_t:s0

Conclusion:

If your policy is uptodate, (and even if it is not) there is a bug in policy maybe.
There is a bug in policy if you are sure that you have stuff configured/labelled correctly

There is not enough information provided to really know whats going on:

1. Should ccsd be able to run aisexec?
if true then a domain transition from ccs_t to aisexec_t should probably be implemented, or alternatively ccsd should be allowed to run aisexec in the ccs_t domain. In the latter case ccs_t should also be allowed to read system state.

I tend to think that a domain transition ccs_t ->> aisexec_t should be implemented.

mkdir myccs, cd myccs;
echo "policy_module(myccs. 1.0.0)" > myccs.te;
echo "require { type ccs_t; }" >> myccs.te;
echo "aisexec_domtrans(ccs_t)" >> myccs.te;

make -f /usr/share/selinux/devel/Makefile myccs.pp
sudo semodule -i myccs.pp

Above will only work if F11 has aisexec policy implemented and if aisexec executable file is properly labelled.
The above policy assumes that it is legitimate that ccsd run aisexec.
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
Reply With Quote
  #6  
Old 19th July 2010, 03:40 PM
leeatnwi Offline
Registered User
 
Join Date: Jun 2010
Posts: 13
linuxfedorafirefox
Re: SElinux and aisecex troubles ( openais )

ok I did the
Code:
fixfiles onboot
reboot
\

which successfully went through and did it's thing. then I tried the

Code:
mkdir myccs
 cd myccs
echo "policy_module(myccs. 1.0.0)" > myccs.te;
echo "require { type ccs_t; }" >> myccs.te;
echo "aisexec_domtrans(ccs_t)" >> myccs.te; 

make -f /usr/share/selinux/devel/Makefile myccs.pp
sudo semodule -i myccs.pp
I made it in the /root directory while logged in as root and this output: after the "make -f" line

Code:
[root@server1 myccs]# make -f /usr/share/selinux/devel/Makefile myccs.pp
Compiling targeted myccs module
/usr/bin/checkmodule:  loading policy configuration from tmp/myccs.tmp
myccs.te":1:ERROR 'syntax error' at token '.' on line 1007:
#line 1
        module myccs. 1.0.0 ;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/myccs.mod] Error 1
[root@server1 myccs]#
and here is what is in the /root/myccs/myccs.te
Code:
policy_module(myccs. 1.0.0)
require { type ccs_t; }
aisexec_domtrans(ccs_t)
I am sorry for any inexperience that I have. I have not worked with the clustering at all before and used this pdf > http://www.clusterlabs.org/wiki/Filelusters_from_Scratch_-_Apache_on_Fedora11.pdf to try and walk my way through it. I am currently on page 26. I have not enabled the ssh without password and i have not disabled selinux, of course. These servers are being setup now to be in a remote location.

I then looked into cman which someone as a question about and realized I had not even touched it yet! I tried starting the cman and here is what happens:
Code:
[root@server1 init.d]# service cman restart
Stopping cluster:
   Leaving fence domain...                                 [  OK  ]
   Stopping gfs_controld...                                [  OK  ]
   Stopping dlm_controld...                                [  OK  ]
   Stopping fenced...                                      [  OK  ]
   Stopping cman...                                        [  OK  ]
   Unloading kernel modules...                             [  OK  ]
   Unmounting configfs...                                  [  OK  ]
Starting cluster:
   Checking Network Manager...
Network Manager is either running or configured to run. Please disable it in the cluster.
                                                           [FAILED]
[root@server1 init.d]#
Once again I am sorry for inexperience and sorry if some of this does not relate to the security section of Fedora Forum. I am just trying to explain what I am doing and where I am at. Hopefully this helps for any questions. This is at my job i am setting this up and it will be a http and ftp server for them and the "windows" guys convinced them they needed two servers and clustering.

ok i got corosync up and tried but disabled the network manager so i can get online on that machine. and now i am messing with cman setup for a little

Thanks for all the help so far and thanks to anyone who continues to do so.

Last edited by leeatnwi; 19th July 2010 at 04:00 PM. Reason: added more got something working
Reply With Quote
Reply

Tags
aisecex, configure, openais, se linux, selinux

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
selinux: hand tweaking policieand yum selinux-policy updates: overriden or perserved? mbiggerstaff Security and Privacy 2 20th January 2014 08:52 PM
selinux troubles mspm1 Security and Privacy 2 16th February 2010 03:58 AM
Problem configuring SElinux using system-config-selinux GUI majdi Servers & Networking 0 6th September 2008 11:33 AM
apache and SELinux troubles brandor Servers & Networking 1 21st June 2005 07:42 PM
Test 3 w7o selinux installed, though lotsa selinux during usage? gafami Fedora Core 2 Test Releases 7 15th May 2004 08:15 AM


Current GMT-time: 01:35 (Saturday, 23-08-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat