apache can't bind port 10080

[mbukatov]

Description

There is avc denial for apache trying to bind port 10080 (aka amanda port) on Tendrl Server machine.

Version

# rpm -qa | grep selinux | sort
carbon-selinux-1.5.3-20171013T090621.ffb1b7f.noarch
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.4.noarch
selinux-policy-targeted-3.13.1-166.el7_4.4.noarch
tendrl-grafana-selinux-1.5.3-20171013T090621.ffb1b7f.noarch
tendrl-selinux-1.5.3-20171013T090621.ffb1b7f.noarch

# rpm -qa | grep tendrl | sort 
tendrl-api-1.5.3-20171013T082716.a2f3b3f.noarch
tendrl-api-httpd-1.5.3-20171013T082716.a2f3b3f.noarch
tendrl-commons-1.5.3-20171013T081843.c73101a.noarch
tendrl-grafana-plugins-1.5.3-20171016T100950.e8eb6c8.noarch
tendrl-grafana-selinux-1.5.3-20171013T090621.ffb1b7f.noarch
tendrl-monitoring-integration-1.5.3-20171016T100950.e8eb6c8.noarch
tendrl-node-agent-1.5.3-20171016T094453.4aa81f7.noarch
tendrl-notifier-1.5.3-20171011T200310.3c01717.noarch
tendrl-selinux-1.5.3-20171013T090621.ffb1b7f.noarch
tendrl-ui-1.5.3-20171013T082611.6e08356.noarch

Steps to Reproduce

1. Prepare machines with GlusterFS cluster, including gluster volume (I used nightly builds and volume_alpha_distrep_4x2.create.conf)
2. Install Tendrl via tendrl-ansible there, using current master (upcoming 1.5.4).
3. Log into the server machine, and check for avc error messages via ausearch -m avc.

Note: step 2 means that I'm using SELinux targetted policy in permissive mode, with all tendrl selinux packages installed.

Actual Results

In audit logs, there is the following SELinux denial:

# ausearch -m avc
----
time->Mon Oct 16 11:15:19 2017
type=PROCTITLE msg=audit(1508152519.031:5036): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1508152519.031:5036): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=55b796c3b3a8 a2=1c a3=7ffff139e42c items=0 ppid=1 pid=11057 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1508152519.031:5036): avc:  denied  { name_bind } for  pid=11057 comm="httpd" src=10080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:amanda_port_t:s0 tclass=tcp_socket

This means that SELinux would prevent apache from listening on port 10080 (aka amanda port).

Expected Results

There is no avc SELinux denial in audit logs.

Details

I run restorecon -vR / to check if I messed SELinux context on some files, and it fixed labels on these files only:

restorecon reset /sys/fs/cgroup context system_u:object_r:tmpfs_t:s0->system_u:object_r:cgroup_t:s0
restorecon reset /etc/systemd/system/cloud-init.service context system_u:object_r:unlabeled_t:s0->system_u:object_r:systemd_unit_file_t:s0
restorecon reset /etc/sysconfig/anaconda context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /root/.gnupg context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:gpg_secret_t:s0
restorecon reset /root/.gnupg/gpg.conf context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:gpg_secret_t:s0
restorecon reset /root/.gnupg/secring.gpg context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:gpg_secret_t:s0
restorecon reset /root/.gnupg/pubring.gpg context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:gpg_secret_t:s0
restorecon reset /root/.gnupg/trustdb.gpg context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:gpg_secret_t:s0
restorecon reset /root/.pki context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:home_cert_t:s0
restorecon reset /root/.pki/nssdb context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:home_cert_t:s0

Then immediately after that, I tried to restart apache and check if the avc denial is there again:

# systemctl restart httpd
# ausearch -m avc
----
time->Mon Oct 16 11:15:19 2017
type=PROCTITLE msg=audit(1508152519.031:5036): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1508152519.031:5036): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=55b796c3b3a8 a2=1c a3=7ffff139e42c items=0 ppid=1 pid=11057 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1508152519.031:5036): avc:  denied  { name_bind } for  pid=11057 comm="httpd" src=10080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:amanda_port_t:s0 tclass=tcp_socket
----
time->Mon Oct 16 12:54:53 2017
type=PROCTITLE msg=audit(1508158493.076:5498): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1508158493.076:5498): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=564104a553a8 a2=1c a3=7ffe9898603c items=0 ppid=1 pid=27485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1508158493.076:5498): avc:  denied  { name_bind } for  pid=27485 comm="httpd" src=10080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:amanda_port_t:s0 tclass=tcp_socket

Which seems to imply that this is not caused by messing with SELinux labels by mistake.

Moreover there already seems to be a SELinux rule trying to allow this, see:

tendrl-selinux/tendrl.te

Line 47 in ffb1b7f

corenet_tcp_bind_amanda_port(httpd_t)

but for some reason, it doesn't work.

[mbukatov]

On the other hand, the good news is that there are no additional SELinux AVC denials after importing a cluster on Tendrl Server machine.

[TimothyAsirJeyasing]

#8

[mbukatov]

Verified to be fixed in #8