In a Samba-CTDB setup, the following AVC denial entries were seen in audit logs after the cluster is brought up: type=AVC msg=audit(1499844253.153:33386): avc: denied { write } for pid=31193 comm="ip" path="/run/ctdb/ctdbd.pid" dev="tmpfs" ino=12338209 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1499844253.153:33386): arch=c000003e syscall=59 success=yes exit=0 a0=9677f0 a1=9208b0 a2=964330 a3=7ffc96fb5470 items=0 ppid=31192 pid=31193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1499844253.170:33387): avc: denied { write } for pid=31200 comm="ethtool" path="/run/ctdb/ctdbd.pid" dev="tmpfs" ino=12338209 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1499844253.170:33387): arch=c000003e syscall=59 success=yes exit=0 a0=967310 a1=967330 a2=964330 a3=7ffc96fb57d0 items=0 ppid=31183 pid=31200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0 key=(null) Additional info/analysis: # ps -ejH | grep ctdb 24869 24869 24869 ? 00:00:00 ctdbd 24871 24869 24869 ? 00:00:00 ctdb_eventd 25000 24869 24869 ? 00:00:00 ctdb_recovered 25002 24869 24869 ? 00:00:00 ctdb_mutex_fcnt # ls -l /proc/24871/fd | grep ctdbd.pid l-wx------. 1 root root 64 Jul 12 13:00 5 -> /run/ctdb/ctdbd.pid # ls -l /proc/25000/fd | grep ctdbd.pid l-wx------. 1 root root 64 Jul 12 13:00 5 -> /run/ctdb/ctdbd.pid # ls -l /proc/25002/fd | grep ctdbd.pid l-wx------. 1 root root 64 Jul 12 13:00 5 -> /run/ctdb/ctdbd.pid The above fd was available while executing event scripts via ctdb_eventd. Command line utilities like `ip`, `ethtool` used in 10.interface were making use of this leaked fd(why?) and thus SELinux denial were seen in audit logs. See also http://danwalsh.livejournal.com/53603.html for related info. Thanks to Martin & Amitay for all help.
Created attachment 13378 [details] Patch for 4.6 and 4.7.
Created attachment 13379 [details] Patches for v4-6
Created attachment 13380 [details] Patches for v4-7
(In reply to Martin Schwenke from comment #1) Please use file names for patches to indicate the bug# and branch. I am sure Karolin would appreciate that.
Hi Karolin, This is ready for 4.6 and 4.7. Thanks...
(In reply to Martin Schwenke from comment #5) Pushed to autobuild-v4-{6,7}-test.
(In reply to Karolin Seeger from comment #6) Pushed to all branches. Closing out bug report. Thanks!