Bug 1031721
Summary: | OpenLMI Hardware provider needs updated selinux policy | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Peter Schiffer <pschiffe> | ||||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | unspecified | ||||||||||
Version: | 7.0 | CC: | mmalik, pschiffe, riehecky, tsmetana | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | selinux-policy-3.12.1-118.el7 | Doc Type: | Known Issue | ||||||||
Doc Text: |
The OpenLMI hardware provider does not work on systems with SELinux running in enforcing mode.
|
Story Points: | --- | ||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2014-06-13 13:14:51 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
What is a path to OpenLMI Hardware provider? It should be: /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt We probably want to add a new openlmi type using $ cat mypol.te policy_module(mypol,1.0) pegasus_openlmi_domain_template(hardware) # make -f /usr/share/selinux/devel/Makefile mypol.pp # semodule -i mypol.pp # chcon -t pegasus_openlmi_hardware_exec_t /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt re-test and collect all AVC msgs. Created attachment 826216 [details]
avc_msgs.txt
recollected AVC msgs
Something is wrong. ls -lZ /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt # ls -lZ /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -rwxr-xr-x. root root unconfined_u:object_r:pegasus_openlmi_hardware_exec_t:s0 /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt Which is OK. We should not see pegasus_t but pegasus_openlmi_hardware_t. *** Bug 1032994 has been marked as a duplicate of this bug. *** Tomas, could you try to play around the policy from the comment #4. Any update? Created attachment 836360 [details]
avc.txt
Miroslav,
this is the latest avc log for the whole hardware provider (after calling all classes and associations).
Also, output of audit2allow says:
#============= pegasus_openlmi_hardware_t ==============
allow pegasus_openlmi_hardware_t dmidecode_exec_t:file { read getattr
open execute execute_no_trans };
allow pegasus_openlmi_hardware_t fixed_disk_device_t:blk_file { read
getattr open ioctl };
allow pegasus_openlmi_hardware_t fsadm_exec_t:file { read execute open
getattr execute_no_trans };
allow pegasus_openlmi_hardware_t hwdata_t:file { read getattr open };
allow pegasus_openlmi_hardware_t memory_device_t:chr_file { read open };
allow pegasus_openlmi_hardware_t self:capability sys_rawio;
allow pegasus_openlmi_hardware_t udev_var_run_t:file { read getattr open };
Do you need any other information to update selinux policy? Please don't forget we need it on both, RHEL-7 and Fedora 20+.
Thanks.
peter
pegasus_openlmi_hardware_t is what I wanted to see. commit ced8c5191e38949395bec6067c371ebe40d582fc Author: Miroslav Grepl <mgrepl> Date: Tue Jan 7 18:20:44 2014 +0100 Add support for cmpiLMI_Hardware-cimprovagt provider Sorry for the late update: I re-did the steps in comment #4: [root@rawhide-local ~]# ls -lZ /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt -rwxr-xr-x. root root unconfined_u:object_r:pegasus_openlmi_hardware_exec_t:s0 /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt So this seems to be OK. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Created attachment 825730 [details] avc_msgs.txt Description of problem: Support for physical disks was added to the OpenLMI Hardware provider. To provide this information, it needs access to smartctl and lsblk programs. Please, add appropriate policies to the RHEL-7 and Fedora 20+. Thanks.