Bug 215517
Summary: | ricci - Need SELinux policy change to handle modstorage accessing fstab and gfs.ko | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Len DiMaggio <ldimaggi> | ||||
Component: | conga | Assignee: | Jim Parsons <jparsons> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Corey Marthaler <cmarthal> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5.0 | CC: | cluster-maint, dwalsh, kanderso, kupcevic, rmccabe | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-03-28 19:40:40 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Len DiMaggio
2006-11-14 14:52:02 UTC
Created attachment 141152 [details]
Audit log
Sorry, Dan - we have another train wreck. mod storage wants to write to /etc/fstab so that mount info can be persisted. Package selinux-policy-2.4.3-13.noarch.rpm solves the above problem with /etc/fstab. I just spotted a new one: type=AVC msg=audit(1163538757.095:457): avc: denied { read } for pid=9922 comm="modinfo" name="gfs.ko" dev=dm-0 ino=2543171 scontext=system_u:system_r:ricci_modstorage_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file type=AVC msg=audit(1163538757.099:458): avc: denied { getattr } for pid=9922 comm="modinfo" name="gfs.ko" dev=dm-0 ino=2543171 scontext=system_u:system_r:ricci_modstorage_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file type=AVC_PATH msg=audit(1163538757.099:458): path="/lib/modules/2.6.18-1.2740.el5/extra/gfs/gfs.ko" Fixed in selinux-policy-2.4.4-1 Verified to be fixed in selinux-policy-2.4.4-1 - I'll close the bz when the policy makes it into a build. Verifed fix with these packages: modcluster-0.8-27.el5 selinux-policy-2.4.6-28.el5 selinux-policy-targeted-2.4.6-28.el5 |