LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

Unrelated: openafs-1.6.5.1 SRPM has not been pushed to 6.5/SRPMS/sl6

After updating to selinux-policy 3.7.19-231 our AFS server processes failed to start with a slew of AVCs in the audit.log. There appears to be a multitude of issues with the AFS SELinux policy shipped by TUV which were triggered by this update.  I set our servers in to permissive which resolved allowed the processes to come up but I'm not sure how to approach a real fix for this issue.

My initial question is this: was AFS ever supposed to run confined to begin with?  I don't think it was, as files created by the processes themselves before this policy were labeled with the unconfined_u user.  If they weren't, a workaround may be to reset the server executables to bin_t to prevent them from transitioning to confined contexts.

SELinux fs contexts greped for afs:

/afs                                               directory          system_u:object_r:mnt_t:s0 
/etc/rc\.d/init\.d/afs                             regular file       system_u:object_r:afs_initrc_exec_t:s0 
/etc/rc\.d/init\.d/openafs-client                  regular file       system_u:object_r:afs_initrc_exec_t:s0 
/usr/afs/bin/bosserver                             regular file       system_u:object_r:afs_bosserver_exec_t:s0 
/usr/afs/bin/fileserver                            regular file       system_u:object_r:afs_fsserver_exec_t:s0 
/usr/afs/bin/kaserver                              regular file       system_u:object_r:afs_kaserver_exec_t:s0 
/usr/afs/bin/ptserver                              regular file       system_u:object_r:afs_ptserver_exec_t:s0 
/usr/afs/bin/salvager                              regular file       system_u:object_r:afs_fsserver_exec_t:s0 
/usr/afs/bin/vlserver                              regular file       system_u:object_r:afs_vlserver_exec_t:s0 
/usr/afs/bin/volserver                             regular file       system_u:object_r:afs_fsserver_exec_t:s0 
/usr/afs/db                                        directory          system_u:object_r:afs_dbdir_t:s0 
/usr/afs/db/ka.*                                   regular file       system_u:object_r:afs_ka_db_t:s0 
/usr/afs/db/pr.*                                   regular file       system_u:object_r:afs_pt_db_t:s0 
/usr/afs/db/vl.*                                   regular file       system_u:object_r:afs_vl_db_t:s0 
/usr/afs/etc(/.*)?                                 all files          system_u:object_r:afs_config_t:s0 
/usr/afs/local(/.*)?                               all files          system_u:object_r:afs_config_t:s0 
/usr/afs/logs(/.*)?                                all files          system_u:object_r:afs_logfile_t:s0 
/usr/sbin/afsd                                     regular file       system_u:object_r:afs_exec_t:s0 
/usr/vice/cache(/.*)?                              all files          system_u:object_r:afs_cache_t:s0 
/usr/vice/etc/afsd                                 regular file       system_u:object_r:afs_exec_t:s0 
/var/cache/afs(/.*)?                               all files          system_u:object_r:afs_cache_t:s0 
/vicepa                                            all files          system_u:object_r:afs_files_t:s0 
/vicepb                                            all files          system_u:object_r:afs_files_t:s0 
/vicepc                                            all files          system_u:object_r:afs_files_t:s0

Only some of the AFS executables are labeled with execution contexts, notably da{fileserver,volserver,salvager} are not labeled, nor is buserver.

Attached is a sampling of the audit logs from my DB and FS servers which shows many denied actions from the various AFS processes.

~Aaron