Bug 1732956
Summary: | dlm_controld needs to execute lvm command | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | David Teigland <teigland> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.1 | CC: | cluster-qe, lvrabec, mmalik, nstraz, plautrba, ssekidde, swhiteho, zpytela |
Target Milestone: | rc | Keywords: | AutoVerified |
Target Release: | 8.1 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-05 22:12:08 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Teigland
2019-07-24 20:14:22 UTC
Here's a more complete look at what selinux failures in permissive mode. This probably should be handled with a domain transition. #============= dlm_controld_t ============== allow dlm_controld_t fixed_disk_device_t:blk_file { getattr ioctl open read }; allow dlm_controld_t kernel_t:system ipc_info; allow dlm_controld_t lvm_control_t:chr_file { getattr ioctl open read write }; allow dlm_controld_t lvm_etc_t:dir { getattr search }; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow dlm_controld_t lvm_exec_t:file map; allow dlm_controld_t lvm_exec_t:file { execute execute_no_trans open read }; #!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' allow dlm_controld_t random_device_t:chr_file read; allow dlm_controld_t self:capability ipc_lock; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow dlm_controld_t tmp_t:file map; allow dlm_controld_t udev_var_run_t:file { getattr open read }; Fixes from Fedora: commit 01b97b97fbe4b25a0fe2e3fe09a0a4cc619ac97e (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Thu Jul 25 16:29:01 2019 +0200 Allow dlm_controld_t domain to transition to the lvm_t Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |