SElinux and aisecex troubles ( openais )

leeatnwi · #1 16th July 2010, 10:30 PM

Hi all,

I am in the beginning to middle of setting up a cluster on two Fedora 11 machines and SElinux is stopping my openais from starting up. I really do not want to disable SElinux all together, I want to add an exception in the Boolean section if at all possible. (SElinux alert below)

I would like to thank anyone ahead of time for any help, and thanks to everyone for their time,

Lee

Code:

Summary:

SELinux is preventing aisexec (ccs_t) "read" proc_t.

Detailed Description:

SELinux denied access requested by aisexec. It is not expected that this access
is required by aisexec and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ccs_t:s0
Target Context                system_u:object_r:proc_t:s0
Target Objects                meminfo [ file ]
Source                        aisexec
Source Path                   /bin/bash
Port                          <Unknown>
Host                          server1.nwi.local
Source RPM Packages           bash-4.0-9.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-98.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     server1.nwi.local
Platform                      Linux server1.nwi.local
                              2.6.30.10-105.2.23.fc11.x86_64 #1 SMP Thu Feb 11
                              07:06:34 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 16 Jul 2010 04:12:11 PM CDT
Last Seen                     Fri 16 Jul 2010 04:12:11 PM CDT
Local ID                      49a7aab7-fc4d-4feb-90d8-cc8d7a893846
Line Numbers                  

Raw Audit Messages            

node=server1.nwi.local type=AVC msg=audit(1279314731.33:42): avc:  denied  { read } for  pid=4422 comm="aisexec" name="meminfo" dev=proc ino=4026531988 scontext=unconfined_u:system_r:ccs_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file

node=server1.nwi.local type=SYSCALL msg=audit(1279314731.33:42): arch=c000003e syscall=2 success=no exit=-13 a0=35ae533c68 a1=0 a2=1b6 a3=238 items=0 ppid=4412 pid=4422 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="aisexec" exe="/bin/bash" subj=unconfined_u:system_r:ccs_t:s0 key=(null)

#2 16th July 2010, 11:11 PM

The only (seemingly innocuous) rule 'audit2allow' shows is "allow ccs_t proc_t:file read;".
Adding this to your local policy file might work.

bodhi.zazen · #3 16th July 2010, 11:14 PM

Sometimes I find it helps to put selinux into permissive mode, run your service / application for a bit, then run audit2allow and generate a policy.

Otherwise, sometimes you will need to re-write the policy as additional errors crop up.

SlowJet · #4 16th July 2010, 11:23 PM

See Bug 224190 - old and never fixed.

1. Check the comments about the ctrl stuf.

2. Is cman being started correctly or some non-standard way?

3. It is getting a segfault and the avc's are from the dump?

Also google for (openais selinux)
You could try a relabel

fixfiles onboot
reboot

or

touch ./autorelabel
reboot

or

use restorecon
man restorecon

try a dryrun

restorecon file(s)spec -n -vv

restorecon /bin/bash/meminfo -n -vv

SJ

domg472 · #5 17th July 2010, 01:47 PM

The problem is of a different nature in my view.

It appears that a process that was running in the ccs_t domain ran aisexec.

aisexec should however have its own domain.

ccs_t is not allowed to run aisexec if this aisexec domain is implemented

css_t can only run generic bin programs instead.

This leads me to the following:

1. i suspect fedora 11 selinux-policy does not have policy for aisexec implemented.

2. But even in the latest rawhide policy ccs_t is not allowed to run aisexec.

3. In your AVC denial it is aisexec that is trying to read system state.

Considering:

1. Fedora 11 is EOL?
2. if 1. is not true, then why was aisexec policy not backported to F11.
3. if aisexec WAS backported to F11.: is aisexec executable mislabelled?

$ matchpathcon /usr/sbin/aisexec
/usr/sbin/aisexec system_u:object_r:aisexec_exec_t:s0

Conclusion:

If your policy is uptodate, (and even if it is not) there is a bug in policy maybe.
There is a bug in policy if you are sure that you have stuff configured/labelled correctly

There is not enough information provided to really know whats going on:

1. Should ccsd be able to run aisexec?
if true then a domain transition from ccs_t to aisexec_t should probably be implemented, or alternatively ccsd should be allowed to run aisexec in the ccs_t domain. In the latter case ccs_t should also be allowed to read system state.

I tend to think that a domain transition ccs_t ->> aisexec_t should be implemented.

mkdir myccs, cd myccs;
echo "policy_module(myccs. 1.0.0)" > myccs.te;
echo "require { type ccs_t; }" >> myccs.te;
echo "aisexec_domtrans(ccs_t)" >> myccs.te;

make -f /usr/share/selinux/devel/Makefile myccs.pp
sudo semodule -i myccs.pp

Above will only work if F11 has aisexec policy implemented and if aisexec executable file is properly labelled.
The above policy assumes that it is legitimate that ccsd run aisexec.

leeatnwi · #6 19th July 2010, 03:40 PM

ok I did the

Code:

fixfiles onboot
reboot

\

which successfully went through and did it's thing. then I tried the

Code:

mkdir myccs
 cd myccs
echo "policy_module(myccs. 1.0.0)" > myccs.te;
echo "require { type ccs_t; }" >> myccs.te;
echo "aisexec_domtrans(ccs_t)" >> myccs.te; 

make -f /usr/share/selinux/devel/Makefile myccs.pp
sudo semodule -i myccs.pp

I made it in the /root directory while logged in as root and this output: after the "make -f" line

Code:

[root@server1 myccs]# make -f /usr/share/selinux/devel/Makefile myccs.pp
Compiling targeted myccs module
/usr/bin/checkmodule:  loading policy configuration from tmp/myccs.tmp
myccs.te":1:ERROR 'syntax error' at token '.' on line 1007:
#line 1
        module myccs. 1.0.0 ;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/myccs.mod] Error 1
[root@server1 myccs]#

and here is what is in the /root/myccs/myccs.te

Code:

policy_module(myccs. 1.0.0)
require { type ccs_t; }
aisexec_domtrans(ccs_t)

I am sorry for any inexperience that I have. I have not worked with the clustering at all before and used this pdf > http://www.clusterlabs.org/wiki/File

lusters_from_Scratch_-_Apache_on_Fedora11.pdf to try and walk my way through it. I am currently on page 26. I have not enabled the ssh without password and i have not disabled selinux, of course. These servers are being setup now to be in a remote location.

I then looked into cman which someone as a question about and realized I had not even touched it yet! I tried starting the cman and here is what happens:

Code:

[root@server1 init.d]# service cman restart
Stopping cluster:
   Leaving fence domain...                                 [  OK  ]
   Stopping gfs_controld...                                [  OK  ]
   Stopping dlm_controld...                                [  OK  ]
   Stopping fenced...                                      [  OK  ]
   Stopping cman...                                        [  OK  ]
   Unloading kernel modules...                             [  OK  ]
   Unmounting configfs...                                  [  OK  ]
Starting cluster:
   Checking Network Manager...
Network Manager is either running or configured to run. Please disable it in the cluster.
                                                           [FAILED]
[root@server1 init.d]#

Once again I am sorry for inexperience and sorry if some of this does not relate to the security section of Fedora Forum. I am just trying to explain what I am doing and where I am at. Hopefully this helps for any questions. This is at my job i am setting this up and it will be a http and ftp server for them and the "windows" guys convinced them they needed two servers and clustering.

ok i got corosync up and tried but disabled the network manager so i can get online on that machine. and now i am messing with cman setup for a little

Thanks for all the help so far and thanks to anyone who continues to do so.