Bug 12898 - fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs
fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: CTDB
4.6.3
x64 Linux
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-12 07:40 UTC by Anoop C S
Modified: 2017-07-25 09:33 UTC (History)
3 users (show)

See Also:


Attachments
Patch for 4.6 and 4.7. (1.13 KB, patch)
2017-07-14 01:27 UTC, Martin Schwenke
no flags Details
Patches for v4-6 (1.12 KB, patch)
2017-07-14 07:49 UTC, Amitay Isaacs
martins: review+
Details
Patches for v4-7 (1.12 KB, patch)
2017-07-14 07:50 UTC, Amitay Isaacs
martins: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Anoop C S 2017-07-12 07:40:59 UTC
In a Samba-CTDB setup, the following AVC denial entries were seen in audit logs after the cluster is brought up:

type=AVC msg=audit(1499844253.153:33386): avc:  denied  { write } for  pid=31193 comm="ip" path="/run/ctdb/ctdbd.pid" dev="tmpfs" ino=12338209 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1499844253.153:33386): arch=c000003e syscall=59 success=yes exit=0 a0=9677f0 a1=9208b0 a2=964330 a3=7ffc96fb5470 items=0 ppid=31192 pid=31193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1499844253.170:33387): avc:  denied  { write } for  pid=31200 comm="ethtool" path="/run/ctdb/ctdbd.pid" dev="tmpfs" ino=12338209 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1499844253.170:33387): arch=c000003e syscall=59 success=yes exit=0 a0=967310 a1=967330 a2=964330 a3=7ffc96fb57d0 items=0 ppid=31183 pid=31200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0 key=(null)

Additional info/analysis:
# ps -ejH | grep ctdb
24869 24869 24869 ?        00:00:00   ctdbd
24871 24869 24869 ?        00:00:00     ctdb_eventd
25000 24869 24869 ?        00:00:00     ctdb_recovered
25002 24869 24869 ?        00:00:00       ctdb_mutex_fcnt
# ls -l /proc/24871/fd | grep ctdbd.pid
l-wx------. 1 root root 64 Jul 12 13:00 5 -> /run/ctdb/ctdbd.pid
# ls -l /proc/25000/fd | grep ctdbd.pid
l-wx------. 1 root root 64 Jul 12 13:00 5 -> /run/ctdb/ctdbd.pid
# ls -l /proc/25002/fd | grep ctdbd.pid
l-wx------. 1 root root 64 Jul 12 13:00 5 -> /run/ctdb/ctdbd.pid

The above fd was available while executing event scripts via ctdb_eventd. Command line utilities like `ip`, `ethtool` used in 10.interface were making use of this leaked fd(why?) and thus SELinux denial were seen in audit logs. See also http://danwalsh.livejournal.com/53603.html for related info.

Thanks to Martin & Amitay for all help.
Comment 1 Martin Schwenke 2017-07-14 01:27:04 UTC
Created attachment 13378 [details]
Patch for 4.6 and 4.7.
Comment 2 Amitay Isaacs 2017-07-14 07:49:36 UTC
Created attachment 13379 [details]
Patches for v4-6
Comment 3 Amitay Isaacs 2017-07-14 07:50:07 UTC
Created attachment 13380 [details]
Patches for v4-7
Comment 4 Amitay Isaacs 2017-07-14 07:52:03 UTC
(In reply to Martin Schwenke from comment #1)

Please use file names for patches to indicate the bug# and branch.

I am sure Karolin would appreciate that.
Comment 5 Martin Schwenke 2017-07-14 08:40:09 UTC
Hi Karolin,

This is ready for 4.6 and 4.7.

Thanks...
Comment 6 Karolin Seeger 2017-07-23 20:13:10 UTC
(In reply to Martin Schwenke from comment #5)
Pushed to autobuild-v4-{6,7}-test.
Comment 7 Karolin Seeger 2017-07-25 09:33:47 UTC
(In reply to Karolin Seeger from comment #6)
Pushed to all branches.
Closing out bug report.

Thanks!