Bug 1002903

Summary: libstoragemgmt service (lsmd) cannot start
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: kraxel, mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 13:11:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2013-08-30 08:12:00 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
libstoragemgmt-0.0.22-2.el7.x86_64
libstoragemgmt-debuginfo-0.0.22-2.el7.x86_64
libstoragemgmt-devel-0.0.22-2.el7.x86_64
libstoragemgmt-netapp-plugin-0.0.22-2.el7.noarch
libstoragemgmt-nstor-plugin-0.0.22-2.el7.noarch
libstoragemgmt-python-0.0.22-2.el7.noarch
libstoragemgmt-smis-plugin-0.0.22-2.el7.noarch
libstoragemgmt-targetd-plugin-0.0.22-2.el7.noarch
selinux-policy-3.12.1-73.el7.noarch
selinux-policy-devel-3.12.1-73.el7.noarch
selinux-policy-doc-3.12.1-73.el7.noarch
selinux-policy-minimum-3.12.1-73.el7.noarch
selinux-policy-mls-3.12.1-73.el7.noarch
selinux-policy-targeted-3.12.1-73.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.0 machine
2. start libstoragemgmt service
3. search for AVCs

Actual results (enforcing mode):
----
time->Fri Aug 30 04:03:32 2013
type=SYSCALL msg=audit(1377849812.278:128): arch=c000003e syscall=21 success=no exit=-13 a0=40262c a1=6 a2=0 a3=7fffaeb2dab0 items=0 ppid=1 pid=9719 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(1377849812.278:128): avc:  denied  { write } for  pid=9719 comm="lsmd" name="ipc" dev="tmpfs" ino=28792 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
# ls -Z /run/lsm/
drwxr-xr-x. libstoragemgmt libstoragemgmt system_u:object_r:var_run_t:s0   ipc
# ls -i /run/lsm/
28792 ipc
#

Expected results:
 * no AVCs
 * the service is running
Comment 1 Milos Malik 2013-08-30 08:14:09 UTC 
Actual results (permissive mode):
----
time->Fri Aug 30 04:05:09 2013
type=SYSCALL msg=audit(1377849909.105:100): arch=80000015 syscall=33 success=yes exit=0 a0=10003688 a1=6 a2=80 a3=3fffde71c910 items=0 ppid=1 pid=13412 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(1377849909.105:100): avc:  denied  { write } for  pid=13412 comm="lsmd" name="ipc" dev="tmpfs" ino=42726 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Fri Aug 30 04:05:09 2013
type=SYSCALL msg=audit(1377849909.105:101): arch=80000015 syscall=102 success=yes exit=0 a0=2 a1=3fffde71c520 a2=6e a3=0 items=0 ppid=1 pid=13412 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(1377849909.105:101): avc:  denied  { create } for  pid=13412 comm="lsmd" name="smispy" scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1377849909.105:101): avc:  denied  { add_name } for  pid=13412 comm="lsmd" name="smispy" scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Fri Aug 30 04:05:09 2013
type=SYSCALL msg=audit(1377849909.105:102): arch=80000015 syscall=15 success=yes exit=0 a0=10022428050 a1=1b6 a2=6e a3=0 items=0 ppid=1 pid=13412 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(1377849909.105:102): avc:  denied  { setattr } for  pid=13412 comm="lsmd" name="smispy" dev="tmpfs" ino=45644 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Fri Aug 30 04:05:13 2013
type=SYSCALL msg=audit(1377849913.555:104): arch=80000015 syscall=10 success=yes exit=0 a0=10022428050 a1=3fffde71c8c0 a2=3fffde71c8c0 a3=5 items=0 ppid=1 pid=13412 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(1377849913.555:104): avc:  denied  { unlink } for  pid=13412 comm="lsmd" name="simc" dev="tmpfs" ino=45654 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1377849913.555:104): avc:  denied  { remove_name } for  pid=13412 comm="lsmd" name="simc" dev="tmpfs" ino=45654 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Fri Aug 30 04:05:13 2013
type=SYSCALL msg=audit(1377849913.555:103): arch=80000015 syscall=107 success=yes exit=0 a0=10022428050 a1=3fffde71c8c0 a2=3fffde71c8c0 a3=5 items=0 ppid=1 pid=13412 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(1377849913.555:103): avc:  denied  { getattr } for  pid=13412 comm="lsmd" path="/run/lsm/ipc/simc" dev="tmpfs" ino=45654 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
Comment 2 Miroslav Grepl 2013-09-03 12:36:10 UTC 
*** Bug 1003776 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2013-09-03 18:09:15 UTC 
Fixed added to Fedora.
Comment 5 Ludek Smid 2014-06-13 13:11:30 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.