Bug 1130675

Summary: SELinux leads drbd.service to drbdadm: sh: modinfo: command not found
Product: Red Hat Enterprise Linux 7 Reporter: Robert Scheck <redhat-bugzilla>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: lvrabec, mgrepl, mmalik, redhat-bugzilla, robert.scheck, sebastien.caps
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-30.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-19 06:01:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2014-08-16 00:09:59 UTC 
Description of problem:
[root@tux ~]# systemctl start drbd.service
Job for drbd.service failed. See 'systemctl status drbd.service' and 'journalctl -xn' for details.
[root@tux ~]#

[root@tux ~]# systemctl status drbd.service
drbd.service - DRBD -- please disable. Unless you are NOT using a cluster manager.
   Loaded: loaded (/usr/lib/systemd/system/drbd.service; disabled)
   Active: failed (Result: exit-code) since Fr 2014-08-15 21:13:43 CEST; 4s ago
  Process: 3469 ExecStart=/sbin/drbdadm adjust-with-progress all (code=exited, status=1/FAILURE)
  Process: 3464 ExecStartPre=/sbin/drbdadm sh-nop (code=exited, status=0/SUCCESS)
 Main PID: 3469 (code=exited, status=1/FAILURE)

Aug 15 21:13:43 tux.example.net drbdadm[3469]: sh: modinfo: command not found
Aug 15 21:13:43 tux.example.net drbdadm[3469]: [
Aug 15 21:13:43 tux.example.net drbdadm[3469]: create res: data:failed(new-resource:20) www:failed(new-resource:20)
Aug 15 21:13:43 tux.example.net drbdadm[3469]: prepare disk: [skipped:data] [skipped:www]
Aug 15 21:13:43 tux.example.net drbdadm[3469]: adjust disk: [skipped:data] [skipped:www]
Aug 15 21:13:43 tux.example.net drbdadm[3469]: adjust net: [skipped:data] [skipped:www]
Aug 15 21:13:43 tux.example.net drbdadm[3469]: ]
Aug 15 21:13:43 tux.example.net systemd[1]: drbd.service: main process exited, code=exited, status=1/FAILURE
Aug 15 21:13:43 tux.example.net systemd[1]: Failed to start DRBD -- please disable. Unless you are NOT using a cluster manager..
Aug 15 21:13:43 tux.example.net systemd[1]: Unit drbd.service entered failed state.
[root@tux ~]#

[root@tux ~]# which modinfo
/usr/sbin/modinfo
[root@tux ~]#

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch

DRBD 8.4.5 and drbd-utils 8.9.1, built from the regular upstream release 
tarballs.

How reproducible:
Everytime, see above and below.

Actual results:
SELinux leads drbd.service to drbdadm: sh: modinfo: command not found

Expected results:
No AVC denied and starting service.

Additional info:
type=SERVICE_START msg=audit(1408147326.087:1931): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="drbd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1408147328.872:1932): avc:  denied  { write } for  pid=6349 comm="drbdsetup-84" name="drbd" dev="tmpfs" ino=35226 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1408147328.872:1932): avc:  denied  { remove_name } for  pid=6349 comm="drbdsetup-84" name="drbd-minor-0.conf" dev="tmpfs" ino=10149 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1408147328.872:1932): avc:  denied  { unlink } for  pid=6349 comm="drbdsetup-84" name="drbd-minor-0.conf" dev="tmpfs" ino=10149 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1408147328.872:1932): arch=c000003e syscall=87 success=yes exit=0 a0=7fff064649f0 a1=40cd11 a2=7fff06464a0f a3=7fff064647b0 items=0 ppid=6348 pid=6349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup-84" exe="/usr/lib/drbd/drbdsetup-84" subj=system_u:system_r:drbd_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1408147328.936:1933): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="drbd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1408147328.945:1934): avc:  denied  { add_name } for  pid=6359 comm="drbdadm-84" name="drbd-resource-data.conf" scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1408147328.945:1934): avc:  denied  { create } for  pid=6359 comm="drbdadm-84" name="drbd-resource-data.conf" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1408147328.945:1934): arch=c000003e syscall=88 success=yes exit=0 a0=76a250 a1=7fffbd238b30 a2=1000 a3=7fffbd2378c0 items=0 ppid=1 pid=6359 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdadm-84" exe="/usr/lib/drbd/drbdadm-84" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408147328.950:1935): avc:  denied  { read write } for  pid=6368 comm="drbdmeta" name="drbd-147-0" dev="tmpfs" ino=31463 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1408147328.950:1935): avc:  denied  { open } for  pid=6368 comm="drbdmeta" path="/run/lock/drbd-147-0" dev="tmpfs" ino=31463 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1408147328.950:1935): arch=c000003e syscall=2 success=yes exit=2 a0=1c734a0 a1=42 a2=180 a3=7fff369e64a0 items=0 ppid=6359 pid=6368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdmeta" exe="/usr/sbin/drbdmeta" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408147328.950:1936): avc:  denied  { lock } for  pid=6368 comm="drbdmeta" path="/run/lock/drbd-147-0" dev="tmpfs" ino=31463 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1408147328.950:1936): arch=c000003e syscall=72 success=yes exit=0 a0=2 a1=7 a2=7fff369e66e0 a3=7fff369e64a0 items=0 ppid=6359 pid=6368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdmeta" exe="/usr/sbin/drbdmeta" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408147328.952:1937): avc:  denied  { write } for  pid=6368 comm="drbdmeta" name="sda3" dev="devtmpfs" ino=1253 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1408147328.952:1937): arch=c000003e syscall=2 success=yes exit=4 a0=1c73410 a1=4002 a2=61a630 a3=7fff369a6540 items=0 ppid=6359 pid=6368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdmeta" exe="/usr/sbin/drbdmeta" subj=system_u:system_r:drbd_t:s0 key=(null)
Comment 1 Robert Scheck 2014-08-16 00:13:49 UTC 
Above was with "setenforce 0", below was before with "setenforce 1":

type=AVC msg=audit(1408130023.468:225): avc:  denied  { read } for  pid=3465 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.468:225): arch=c000003e syscall=2 success=no exit=-13 a0=7f271e1add8a a1=80000 a2=1b6 a3=0 items=0 ppid=3464 pid=3465 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.469:226): avc:  denied  { getattr } for  pid=3465 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.469:226): arch=c000003e syscall=4 success=no exit=-13 a0=23d3ce0 a1=7fffdaf907d0 a2=7fffdaf907d0 a3=12 items=0 ppid=3464 pid=3465 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.481:227): avc:  denied  { read } for  pid=3466 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.481:227): arch=c000003e syscall=2 success=no exit=-13 a0=7ffe7c3e1d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3464 pid=3466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.482:228): avc:  denied  { getattr } for  pid=3466 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.482:228): arch=c000003e syscall=4 success=no exit=-13 a0=96ece0 a1=7fffd5a675c0 a2=7fffd5a675c0 a3=12 items=0 ppid=3464 pid=3466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.492:229): avc:  denied  { read } for  pid=3471 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.492:229): arch=c000003e syscall=2 success=no exit=-13 a0=7fcd9f2d1d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3469 pid=3471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.493:230): avc:  denied  { getattr } for  pid=3471 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.493:230): arch=c000003e syscall=4 success=no exit=-13 a0=1f2dce0 a1=7fff7005e3b0 a2=7fff7005e3b0 a3=12 items=0 ppid=3469 pid=3471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.495:231): avc:  denied  { read } for  pid=3472 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.495:231): arch=c000003e syscall=2 success=no exit=-13 a0=7f455f3acd8a a1=80000 a2=1b6 a3=0 items=0 ppid=3469 pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.496:232): avc:  denied  { getattr } for  pid=3472 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.496:232): arch=c000003e syscall=4 success=no exit=-13 a0=1d6ece0 a1=7fffa34db560 a2=7fffa34db560 a3=12 items=0 ppid=3469 pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.503:233): avc:  denied  { read } for  pid=3474 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.503:233): arch=c000003e syscall=2 success=no exit=-13 a0=7f82873aed8a a1=80000 a2=1b6 a3=0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.503:234): avc:  denied  { execute } for  pid=3474 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.503:234): arch=c000003e syscall=59 success=no exit=-13 a0=1841bb0 a1=1841e10 a2=1840ef0 a3=7fff0239eac0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.503:235): avc:  denied  { getattr } for  pid=3474 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.503:235): arch=c000003e syscall=4 success=no exit=-13 a0=1841bb0 a1=7fff0239ec50 a2=7fff0239ec50 a3=7fff0239eac0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.503:236): avc:  denied  { getattr } for  pid=3474 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.503:236): arch=c000003e syscall=4 success=no exit=-13 a0=1841bb0 a1=7fff0239ec30 a2=7fff0239ec30 a3=7fff0239eac0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.506:237): avc:  denied  { read } for  pid=3476 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.506:237): arch=c000003e syscall=2 success=no exit=-13 a0=7f0ed0806d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.506:238): avc:  denied  { execute } for  pid=3476 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.506:238): arch=c000003e syscall=59 success=no exit=-13 a0=2565bb0 a1=2565e10 a2=2564ef0 a3=7fff7f8ee190 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.506:239): avc:  denied  { getattr } for  pid=3476 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.506:239): arch=c000003e syscall=4 success=no exit=-13 a0=2565bb0 a1=7fff7f8ee320 a2=7fff7f8ee320 a3=7fff7f8ee190 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.506:240): avc:  denied  { getattr } for  pid=3476 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.506:240): arch=c000003e syscall=4 success=no exit=-13 a0=2565bb0 a1=7fff7f8ee300 a2=7fff7f8ee300 a3=7fff7f8ee190 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.508:241): avc:  denied  { read } for  pid=3478 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.508:241): arch=c000003e syscall=2 success=no exit=-13 a0=7f000e8c4d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.509:242): avc:  denied  { execute } for  pid=3478 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.509:242): arch=c000003e syscall=59 success=no exit=-13 a0=82dbb0 a1=82de10 a2=82cef0 a3=7fffecb652e0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.509:243): avc:  denied  { getattr } for  pid=3478 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.509:243): arch=c000003e syscall=4 success=no exit=-13 a0=82dbb0 a1=7fffecb65470 a2=7fffecb65470 a3=7fffecb652e0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.509:244): avc:  denied  { getattr } for  pid=3478 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.509:244): arch=c000003e syscall=4 success=no exit=-13 a0=82dbb0 a1=7fffecb65450 a2=7fffecb65450 a3=7fffecb652e0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.511:245): avc:  denied  { read } for  pid=3480 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.511:245): arch=c000003e syscall=2 success=no exit=-13 a0=7ff8e61d1d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.512:246): avc:  denied  { execute } for  pid=3480 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.512:246): arch=c000003e syscall=59 success=no exit=-13 a0=1203bb0 a1=1203e10 a2=1202ef0 a3=7fffaad483b0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.512:247): avc:  denied  { getattr } for  pid=3480 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.512:247): arch=c000003e syscall=4 success=no exit=-13 a0=1203bb0 a1=7fffaad48540 a2=7fffaad48540 a3=7fffaad483b0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.512:248): avc:  denied  { getattr } for  pid=3480 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.512:248): arch=c000003e syscall=4 success=no exit=-13 a0=1203bb0 a1=7fffaad48520 a2=7fffaad48520 a3=7fffaad483b0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
Comment 4 Miroslav Grepl 2014-08-18 12:05:01 UTC 
Are there drbd scripts which cause these AVCs?
Comment 5 Robert Scheck 2014-08-18 16:40:02 UTC 
Don't know if it's that what you are looking for?

$ strings /usr/sbin/drbdadm | grep modinfo
modinfo -F version drbd
$ 

$ file /usr/sbin/drbdadm
/usr/sbin/drbdadm: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x0d9dade372992ce025fb176b0891f13024fe7817, stripped
$
Comment 9 Miroslav Grepl 2014-11-05 09:28:48 UTC 
commit e2e7de4c5defd0d42ad75b2f3b1c694109ecc59e
Author: Miroslav Grepl <mgrepl>
Date:   Wed Nov 5 10:27:15 2014 +0100

    Make drbd as nsswitch domain to make it working with sssd.
Comment 10 Robert Scheck 2014-11-05 14:26:13 UTC 
Is selinux-policy-3.13.1-8.el7.noarch somewhere available for testing?
Comment 12 Milos Malik 2015-01-19 13:06:46 UTC 
Here are the latest policy RPMs:
 * http://people.redhat.com/dwalsh/SELinux/RHEL7/noarch/

Could you re-test your scenario? Thanks.
Comment 16 Lukas Vrabec 2015-06-30 14:27:46 UTC 
commit b3ffafe59962de5eb494897a695a9670a3302ecb
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jun 30 15:28:18 2015 +0200

    Allow drbd_t write to fixed_disk_device.
Comment 19 Lukas Vrabec 2015-10-15 12:58:43 UTC 
Same issue like in #1134883
Comment 20 Miroslav Grepl 2015-10-19 06:01:42 UTC 

*** This bug has been marked as a duplicate of bug 1134883 ***