Bug 1238061
Summary: | libStorageMgmt: SELinux is preventing /usr/bin/lsmd check user `libstoragemgmt` | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Gris Ge <fge> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.2 | CC: | bgoncalv, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, tasleson |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-39.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 10:38:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gris Ge
2015-07-01 06:25:00 UTC
commit 7fb226b0124bcc8a241a4d3f17c0cd0630734d5f Author: Lukas Vrabec <lvrabec> Date: Thu Jul 16 15:05:51 2015 +0200 Add lsmd_t to nsswitch_domain. Resolves: #1238061 It seems this problem is still present on 7.2 alpha (selinux-policy-3.13.1-37.el7). time->Thu Aug 6 04:18:28 2015 type=SYSCALL msg=audit(1438849108.898:62): arch=c000003e syscall=105 success=no exit=-1 a0=3e2 a1=7f6a06478274 a2=0 a3=7ffc6c277d60 items=0 ppid=1 pid=1937 auid=4294967295 uid=0 gid=991 euid=0 suid=0 fsuid=0 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(1438849108.898:62): avc: denied { setuid } for pid=1937 comm="lsmd" capability=7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=capability Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.FfRgI4 | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.QXAsM9 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Running 'rpm -q selinux-policy || true' selinux-policy-3.13.1-37.el7.noarch The AVC is mentioned in BZ#1247114. But I have to agree with you, the automated TC still triggers the AVC on my VMs. This AVC is fixed in -39.el7.noarch version. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |