Bug 1028099

Summary: SELinux prevents lsmd from executing various lsmplugins
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-118.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:32:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2013-11-07 16:29:39 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
libstoragemgmt-0.0.22-4.el7.x86_64
libstoragemgmt-devel-0.0.22-4.el7.x86_64
libstoragemgmt-netapp-plugin-0.0.22-4.el7.noarch
libstoragemgmt-nstor-plugin-0.0.22-4.el7.noarch
libstoragemgmt-python-0.0.22-4.el7.noarch
libstoragemgmt-smis-plugin-0.0.22-4.el7.noarch
libstoragemgmt-targetd-plugin-0.0.22-4.el7.noarch
selinux-policy-3.12.1-98.el7.noarch
selinux-policy-devel-3.12.1-98.el7.noarch
selinux-policy-doc-3.12.1-98.el7.noarch
selinux-policy-minimum-3.12.1-98.el7.noarch
selinux-policy-mls-3.12.1-98.el7.noarch
selinux-policy-targeted-3.12.1-98.el7.noarch

How reproducible:
always

Steps to Reproduce:
# service libstoragemgmt start
# for I in VOLUMES INITIATORS POOLS FS SNAPSHOTS EXPORTS NFS_CLIENT_AUTH ACCESS_GROUPS SYSTEMS ; do lsmcli -l $I -u 'sim://' ; done
# search for AVCs

Actual results:
----
type=PATH msg=audit(11/07/2013 17:16:27.410:7783) : item=0 name=/usr/bin/sim_lsmplugin inode=6433551 dev=08:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/07/2013 17:16:27.410:7783) :  cwd=/ 
type=SYSCALL msg=audit(11/07/2013 17:16:27.410:7783) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0x7f0c2738c050 a1=0x7fff756f1960 a2=0x7fff756f1bc0 a3=0x0 items=1 ppid=32719 pid=32746 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=lsmd exe=/usr/bin/lsmd subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/07/2013 17:16:27.410:7783) : avc:  denied  { execute } for  pid=32746 comm=lsmd name=sim_lsmplugin dev="sda4" ino=6433551 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2013-11-07 19:38:08 UTC 
If you replace 'sim://' with 'simc://' then you will get similar AVCs. sim_lsmplugin is a script, but simc_lsmplugin is a binary. After execution of "chcon -t lsmd_exec_t /usr/bin/simc_lsmplugin" the AVCs stopped appearing. But the reproducer from comment#0 still triggers AVCs.
Comment 2 Milos Malik 2013-11-07 19:50:08 UTC 
Each of these plugins can be triggered via the reproducer:

# ls -l /usr/bin/*_lsmplugin
-rwxr-xr-x. 1 root root  1340 Oct 14 17:00 /usr/bin/nstor_lsmplugin
-rwxr-xr-x. 1 root root  1298 Oct 14 17:00 /usr/bin/ontap_lsmplugin
-rwxr-xr-x. 1 root root 48312 Oct 14 16:58 /usr/bin/simc_lsmplugin
-rwxr-xr-x. 1 root root  1324 Oct 14 17:00 /usr/bin/sim_lsmplugin
-rwxr-xr-x. 1 root root  1297 Oct 14 17:00 /usr/bin/smispy_lsmplugin
-rwxr-xr-x. 1 root root 23904 Oct 14 17:00 /usr/bin/targetd_lsmplugin
# file /usr/bin/*_lsmplugin
/usr/bin/nstor_lsmplugin:   Python script, ASCII text executable
/usr/bin/ontap_lsmplugin:   Python script, ASCII text executable
/usr/bin/simc_lsmplugin:    ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0xe19f870782280067178acabafa6fd1c34373d922, stripped
/usr/bin/sim_lsmplugin:     Python script, ASCII text executable
/usr/bin/smispy_lsmplugin:  Python script, ASCII text executable
/usr/bin/targetd_lsmplugin: Python script, ASCII text executable
#
Comment 3 Miroslav Grepl 2013-11-08 08:02:16 UTC 
Milos,
could you try to add

corecmd_exec_bin(lsmd)

to the local policy, and re-run and collect AVC msgs?


commit c07234231b3ef9de9129c257d1ef1245bf1b9a4b
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 8 09:01:45 2013 +0100

    Allow lsmd to execute various lsmplugins
Comment 4 Milos Malik 2013-11-08 09:26:43 UTC 
After compiling and loading of following module a bunch of AVCs showed up in enfocing mode:

policy_module(mypolicy,1.0)

require {
  type lsmd_t;
}

corecmd_exec_bin(lsmd_t)

----
type=PATH msg=audit(11/08/2013 10:22:24.897:861) : item=0 name=/proc/meminfo inode=4026532027 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:22:24.897:861) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:22:24.897:861) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x38ca37c8cf a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x1 items=1 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:22:24.897:861) : avc:  denied  { read } for  pid=4565 comm=python2.7 name=meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=PATH msg=audit(11/08/2013 10:22:24.974:862) : item=0 name=/dev/urandom inode=4910 dev=00:05 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:22:24.974:862) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:22:24.974:862) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x38cf7410bd a1=O_RDONLY a2=0x38cf9bbf88 a3=0x0 items=1 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:22:24.974:862) : avc:  denied  { read } for  pid=4565 comm=python2.7 name=urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
----
type=PATH msg=audit(11/08/2013 10:22:24.980:864) : item=1 name=/tmp/1MsK71 objtype=CREATE 
type=PATH msg=audit(11/08/2013 10:22:24.980:864) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT 
type=CWD msg=audit(11/08/2013 10:22:24.980:864) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:22:24.980:864) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x25fec40 a1=O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x0 items=2 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:22:24.980:864) : avc:  denied  { write } for  pid=4565 comm=python2.7 name=tmp dev="vda3" ino=25165953 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 
----
Comment 5 Milos Malik 2013-11-08 09:37:35 UTC 
Following AVCs were caught in permissive mode:
----
type=PATH msg=audit(11/08/2013 10:33:30.753:1330) : item=0 name=/proc/meminfo inode=4026532027 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:33:30.753:1330) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:30.753:1330) : arch=x86_64 syscall=open success=yes exit=6 a0=0x38ca37c8cf a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x1 items=1 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:30.753:1330) : avc:  denied  { open } for  pid=29545 comm=python2.7 path=/proc/meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
type=AVC msg=audit(11/08/2013 10:33:30.753:1330) : avc:  denied  { read } for  pid=29545 comm=python2.7 name=meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=SYSCALL msg=audit(11/08/2013 10:33:30.755:1331) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x6 a1=0x7fff1932c4a0 a2=0x7fff1932c4a0 a3=0x0 items=0 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:30.755:1331) : avc:  denied  { getattr } for  pid=29545 comm=python2.7 path=/proc/meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=PATH msg=audit(11/08/2013 10:33:30.835:1332) : item=0 name=/dev/urandom inode=4910 dev=00:05 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:33:30.835:1332) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:30.835:1332) : arch=x86_64 syscall=open success=yes exit=7 a0=0x38cf7410bd a1=O_RDONLY a2=0x38cf9bbf88 a3=0x0 items=1 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:30.835:1332) : avc:  denied  { open } for  pid=29545 comm=python2.7 path=/dev/urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
type=AVC msg=audit(11/08/2013 10:33:30.835:1332) : avc:  denied  { read } for  pid=29545 comm=python2.7 name=urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
----
type=PATH msg=audit(11/08/2013 10:33:30.841:1333) : item=1 name=/tmp/jGemB5 inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=CREATE 
type=PATH msg=audit(11/08/2013 10:33:30.841:1333) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT 
type=CWD msg=audit(11/08/2013 10:33:30.841:1333) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:30.841:1333) : arch=x86_64 syscall=open success=yes exit=6 a0=0x1ea7c40 a1=O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x0 items=2 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc:  denied  { create } for  pid=29545 comm=python2.7 name=jGemB5 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file 
type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc:  denied  { add_name } for  pid=29545 comm=python2.7 name=jGemB5 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 
type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc:  denied  { write } for  pid=29545 comm=python2.7 name=tmp dev="vda3" ino=25165953 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 
----
type=PATH msg=audit(11/08/2013 10:33:30.841:1334) : item=1 name=/tmp/jGemB5 inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=DELETE 
type=PATH msg=audit(11/08/2013 10:33:30.841:1334) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT 
type=CWD msg=audit(11/08/2013 10:33:30.841:1334) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:30.841:1334) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x1e2d4d0 a1=0xffffffff a2=0x38cf9bbf88 a3=0x0 items=2 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:30.841:1334) : avc:  denied  { unlink } for  pid=29545 comm=python2.7 name=jGemB5 dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file 
type=AVC msg=audit(11/08/2013 10:33:30.841:1334) : avc:  denied  { remove_name } for  pid=29545 comm=python2.7 name=jGemB5 dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 
----
type=PATH msg=audit(11/08/2013 10:33:31.270:1337) : item=0 name=/etc/resolv.conf inode=9210153 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:33:31.270:1337) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1337) : arch=x86_64 syscall=open success=yes exit=5 a0=0x38ca37d3e8 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x38ca288210 items=1 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.270:1337) : avc:  denied  { open } for  pid=29574 comm=python2.7 path=/etc/resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file 
type=AVC msg=audit(11/08/2013 10:33:31.270:1337) : avc:  denied  { read } for  pid=29574 comm=python2.7 name=resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1338) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x5 a1=0x7fffed10f7b0 a2=0x7fffed10f7b0 a3=0x0 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.270:1338) : avc:  denied  { getattr } for  pid=29574 comm=python2.7 path=/etc/resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1339) : arch=x86_64 syscall=socket success=yes exit=5 a0=inet a1=SOCK_DGRAM a2=ip a3=0x1 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.270:1339) : avc:  denied  { create } for  pid=29574 comm=python2.7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket 
----
type=SOCKADDR msg=audit(11/08/2013 10:33:31.271:1340) : saddr=inet host:192.168.122.1 serv:53 
type=SYSCALL msg=audit(11/08/2013 10:33:31.271:1340) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0xaf1350 a2=0x10 a3=0x1 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.271:1340) : avc:  denied  { connect } for  pid=29574 comm=python2.7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket 
----
type=SYSCALL msg=audit(11/08/2013 10:33:31.313:1341) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0x541b a2=0x7fffed10fb80 a3=0x4000 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.313:1341) : avc:  denied  { getattr } for  pid=29574 comm=python2.7 path=socket:[119147] dev="sockfs" ino=119147 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket 
----
type=PATH msg=audit(11/08/2013 10:33:31.863:1343) : item=1 name=/tmp/BqLXuZ inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=DELETE 
type=PATH msg=audit(11/08/2013 10:33:31.863:1343) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT 
type=CWD msg=audit(11/08/2013 10:33:31.863:1343) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:31.863:1343) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x24fa4d0 a1=0xffffffff a2=0x38cf9bbf88 a3=0x0 items=2 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.863:1343) : avc:  denied  { unlink } for  pid=29620 comm=python2.7 name=BqLXuZ dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file 
----
type=PATH msg=audit(11/08/2013 10:33:31.865:1344) : item=0 name=/tmp/lsm_sim_data inode=25908111 dev=fd:03 mode=file,666 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:33:31.865:1344) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:31.865:1344) : arch=x86_64 syscall=open success=yes exit=5 a0=0x2579490 a1=O_RDONLY a2=0x1b6 a3=0x0 items=1 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.865:1344) : avc:  denied  { open } for  pid=29620 comm=python2.7 path=/tmp/lsm_sim_data dev="vda3" ino=25908111 scontext=system_u:system_r:lsmd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file 
----
type=PATH msg=audit(11/08/2013 10:33:31.942:1345) : item=0 name=/tmp/lsm_sim_data inode=25908111 dev=fd:03 mode=file,666 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:33:31.942:1345) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:31.942:1345) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x2539640 a1=0666 a2=0x38cf9bbf88 a3=0x0 items=1 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.942:1345) : avc:  denied  { setattr } for  pid=29620 comm=python2.7 name=lsm_sim_data dev="vda3" ino=25908111 scontext=system_u:system_r:lsmd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file 
----
Comment 6 Milos Malik 2013-11-08 09:38:37 UTC 
Here is the output from audit2allow:

#============= lsmd_t ==============
allow lsmd_t net_conf_t:file { read getattr open };
allow lsmd_t proc_t:file { read getattr open };
allow lsmd_t self:udp_socket { create connect getattr };
allow lsmd_t tmp_t:dir { write remove_name add_name };
allow lsmd_t tmp_t:file { create unlink };

#!!!! This avc can be allowed using the boolean 'global_ssp'
allow lsmd_t urandom_device_t:chr_file { read open };
allow lsmd_t user_tmp_t:file { open setattr };
#
Comment 7 Miroslav Grepl 2013-11-08 20:41:53 UTC 
Ok, the question now is if we need to have a new domain (lsmd_plugin_t for example). Probably we should ask lsmd folks what these plugins do.
Comment 8 Miroslav Grepl 2013-11-26 16:50:08 UTC 
commit 4f72504c1cb09d526f75302b5d5ab3cf39dc5588
Author: Miroslav Grepl <mgrepl>
Date:   Tue Nov 26 17:49:39 2013 +0100

    Add lsmd_plugin_t for lsm plugins
Comment 10 Miroslav Grepl 2013-11-29 10:40:46 UTC 
commit bb9750eb405cd031fa32385664418bb629553b82
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 29 11:40:22 2013 +0100

    Allow lsmd_plugin_t send system log messages
Comment 15 Milos Malik 2014-01-09 11:04:16 UTC 
# ps -efZ | grep init_t
system_u:system_r:init_t:s0     root         1     0  0 10:19 ?        00:00:02 /usr/lib/systemd/systemd --system --deserialize 24
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3875 7641  0 11:45 pts/0 00:00:00 grep --color=auto init_t
#

Even "watch -n 1 'ps -efZ | grep init_t'" command (which was running at the same time as the test case) did not show other processes running as init_t.
Comment 16 Miroslav Grepl 2014-01-10 08:59:22 UTC 
commit 82f025f878e67aac45f527cee63fa290897679f5
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jan 10 09:58:57 2014 +0100

    Allow lsmd plugins stream connect to lsmd/init
Comment 23 Ludek Smid 2014-06-13 09:32:45 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.