Bug 1732956

Summary: dlm_controld needs to execute lvm command
Product: Red Hat Enterprise Linux 8 Reporter: David Teigland <teigland>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: cluster-qe, lvrabec, mmalik, nstraz, plautrba, ssekidde, swhiteho, zpytela
Target Milestone: rcKeywords: AutoVerified
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:12:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Teigland 2019-07-24 20:14:22 UTC 
Description of problem:

Copying from bug 1649086:

time->Wed Jul 24 14:32:23 2019
type=PROCTITLE msg=audit(1563996743.271:1477): proctitle=646C6D5F636F6E74726F6C64002D730030
type=SYSCALL msg=audit(1563996743.271:1477): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeb05150c0 a1=7ffeb0515280 a2=7ffeb0515b98 a3=7ffeb0518ec0 items=0 ppid=2221 pid=29252 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
type=AVC msg=audit(1563996743.271:1477): avc:  denied  { execute } for  pid=29252 comm="dlm_controld" name="lvm" dev="dm-0" ino=862736 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file permissive=0
[root@host-114 tmp]# ausearch -ts today -m AVC | audit2allow


Update needed to the selinux policy

#============= dlm_controld_t ==============
allow dlm_controld_t lvm_exec_t:file execute;


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Nate Straz 2019-07-24 20:35:23 UTC 
Here's a more complete look at what selinux failures in permissive mode.  This probably should be handled with a domain transition.


#============= dlm_controld_t ==============
allow dlm_controld_t fixed_disk_device_t:blk_file { getattr ioctl open read };
allow dlm_controld_t kernel_t:system ipc_info;
allow dlm_controld_t lvm_control_t:chr_file { getattr ioctl open read write };
allow dlm_controld_t lvm_etc_t:dir { getattr search };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow dlm_controld_t lvm_exec_t:file map;
allow dlm_controld_t lvm_exec_t:file { execute execute_no_trans open read };

#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow dlm_controld_t random_device_t:chr_file read;
allow dlm_controld_t self:capability ipc_lock;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow dlm_controld_t tmp_t:file map;
allow dlm_controld_t udev_var_run_t:file { getattr open read };
Comment 2 Lukas Vrabec 2019-07-25 14:29:35 UTC 
Fixes from Fedora:
commit 01b97b97fbe4b25a0fe2e3fe09a0a4cc619ac97e (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 25 16:29:01 2019 +0200

    Allow dlm_controld_t domain to transition to the lvm_t
Comment 17 errata-xmlrpc 2019-11-05 22:12:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547