Bug 1019330

Summary: xfs_growfs should be fsadm_exec_t
Product: [Fedora] Fedora Reporter: William Brown <william>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-74.10.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-22 05:05:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description William Brown 2013-10-15 13:49:15 UTC 
Description of problem:

Running as a sysadm_r, using xfs_growfs causes the following denials:

time->Tue Oct 15 14:31:00 2013
type=SYSCALL msg=audit(1381809660.797:1069): arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=80081272 a2=7fff22d2dd20 a3=0 items=0 ppid=13457 pid=14180 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts7 comm="xfs_growfs" exe="/usr/sbin/xfs_growfs" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381809660.797:1069): avc:  denied  { ioctl } for  pid=14180 comm="xfs_growfs" path="/dev/sdb1" dev="devtmpfs" ino=203221 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
----
time->Tue Oct 15 14:31:00 2013
type=SYSCALL msg=audit(1381809660.797:1068): arch=c000003e syscall=2 success=yes exit=4 a0=121f550 a1=0 a2=1b6 a3=0 items=0 ppid=13457 pid=14180 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts7 comm="xfs_growfs" exe="/usr/sbin/xfs_growfs" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381809660.797:1068): avc:  denied  { open } for  pid=14180 comm="xfs_growfs" path="/dev/sdb1" dev="devtmpfs" ino=203221 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1381809660.797:1068): avc:  denied  { read } for  pid=14180 comm="xfs_growfs" name="sdb1" dev="devtmpfs" ino=203221 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

Similar tools like resize2fs have the fsadm_exec_t. xfs utils should likely be marked in a similar way to allow a correct transition to avoid these denials.
Comment 1 Miroslav Grepl 2013-10-15 15:50:17 UTC 
commit 8340f1386e283e4f8bfce2776098048e5d6d2d38
Author: Miroslav Grepl <mgrepl>
Date:   Tue Oct 15 17:50:16 2013 +0200

    Label /sbin/xfs_growfs as fsadm_exec_t
Comment 2 Fedora Update System 2013-10-15 16:03:15 UTC 
selinux-policy-3.12.1-74.10.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.10.fc19
Comment 3 Fedora Update System 2013-10-18 20:02:51 UTC 
Package selinux-policy-3.12.1-74.10.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.10.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-19368/selinux-policy-3.12.1-74.10.fc19
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2013-10-22 05:05:16 UTC 
selinux-policy-3.12.1-74.10.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.