Bug 11577 - Read Only Tracking DBs fail to open when running with selinux enabled.
Read Only Tracking DBs fail to open when running with selinux enabled.
Status: RESOLVED FIXED
Product: CTDB 2.5.x or older
Classification: Unclassified
Component: ctdb
4.2.0
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-27 10:01 UTC by Michael Adam
Modified: 2015-10-29 08:43 UTC (History)
5 users (show)

See Also:


Attachments
patch for 4.3 cherry-picked from master (64 bytes, patch)
2015-10-28 10:56 UTC, Michael Adam
obnox: review+
Details
Patch for v4-2-test cherry-picked from master (1.49 KB, patch)
2015-10-28 10:59 UTC, Michael Adam
obnox: review+
obnox: review? (martins)
obnox: review? (amitay)
jarrpa: review+
Details
updated patch for 4.3 cherry-picked from master (1.49 KB, patch)
2015-10-28 15:51 UTC, Michael Adam
obnox: review+
jarrpa: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Adam 2015-10-27 10:01:17 UTC
The server creates the read only tracking dbs (<some_tdb>.tdb.<nodenuber>.RO) with permissions 0000. This is ok for pure unix/posix, because ctdbd is running as root, but in an selinux-enabled system a subsequent open (after a ctdb restart) of the rottdb fails, since selinux is more strict: A process would need the dac_override to perform this kind of open, even as root.
Comment 1 Michael Adam 2015-10-27 10:05:13 UTC
This leads to a failure to start ctdb (a second time) in Samba/CTDB 4.2 and newer, since Samba enables readonly-copies in the netlogon_creds_cli.tdb.
Comment 2 Michael Adam 2015-10-28 10:56:17 UTC
Created attachment 11545 [details]
patch for 4.3 cherry-picked from master
Comment 3 Michael Adam 2015-10-28 10:59:03 UTC
Created attachment 11546 [details]
Patch for v4-2-test cherry-picked from master
Comment 4 José A. Rivera 2015-10-28 15:26:31 UTC
If I'm clicking on things correctly, I believe the patch for 4.3 is incorrect. It is 64 bytes in length with the contents:

"0001-ctdb-open-the-RO-tracking-db-with-perms-0600-instead.patch"

I imagine it's similar enough to the v4-2-test patch, but do upload the patch again. :)
Comment 5 Michael Adam 2015-10-28 15:51:22 UTC
Created attachment 11548 [details]
updated patch for 4.3 cherry-picked from master

Correct patch file ( first time I forgot '--stdout' ... )
Comment 6 José A. Rivera 2015-10-28 16:01:33 UTC
Comment on attachment 11548 [details]
updated patch for 4.3 cherry-picked from master

LGTM
Comment 7 José A. Rivera 2015-10-28 16:01:51 UTC
Comment on attachment 11546 [details]
Patch for v4-2-test cherry-picked from master

LGTM
Comment 8 Karolin Seeger 2015-10-29 08:38:20 UTC
Pushed to autobuild-v4-[3|2]test.
Comment 9 Karolin Seeger 2015-10-29 08:43:16 UTC
(In reply to Karolin Seeger from comment #8)
Pushed to both branches.
Closing out bug report.

Thanks!