Bug 473168
| Summary: | SELinux policy preventing the mount of GFS2 while making lv via luci | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Steve Reichard <sreichar> | ||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE <qe-baseos-auto> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 5.2 | CC: | swhiteho | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-02-07 11:52:15 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 435945 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Attempting with the first loadable policies, the /etc/fstab entry was added but the Fs was not mounted. The policy generated from the AVC is below, will try again.
module host4 1.0;
require {
type ricci_modstorage_t;
class capability sys_admin;
}
#============= ricci_modstorage_t ==============
allow ricci_modstorage_t self:capability sys_admin;
Sorry, wrong one. This is the one I meant to add. Please attach the AVC messages, I believe most of these access is just needed to transition to the mount command consoletype_exec(ricci_modstorage_t) mount_domtrans(ricci_modstorage_t) Is what I am adding. selinux-policy-2.4.6-195.el5 Created attachment 325327 [details]
AVCs
AVCs added as an attachement Try out selinux-policy-2.4.6-197.el5 |
Description of problem: Attempting to use luci to create a new logical volume with a GFS2 files system, mounting the file system, and adding an entry to /etc/fstab, the lv was made and the FS was created, however the mount failed and no entry was put in /etc/fstab. Issuing the mount command on the comand line was successful. SELinux denails were noted. audit2alert was used to generate a policy which was loaded. This cycle was repeated several more times. (after setenforce 0, the result was as exepected) Version-Release number of selected component (if applicable): [root@degas ~]# uname -a Linux degas.lab.bos.redhat.com 2.6.18-92.1.13.el5xen #1 SMP Thu Sep 4 04:07:08 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux [root@degas ~]# the RHN beta policies were put in place for help with previously seen AVCs. [root@degas ~]# rpmq selinux-policy selinux-policy-targeted-2.4.6.170.el5 noarch selinux-policy-2.4.6.170.el5 noarch [root@degas ~]# How reproducible: Was easily reproducible, however, luci hangs/slowness has made it harder to reproduce. Steps to Reproduce: 1. use luci to create a CLVM LV with a GFS2 that is mounted with an /etc/entry 2. 3. Actual results: LV was made, GFS2 was created, errors (various) were reported, AVC denials were logged. Expected results: LV was made, GFS2 was created, fs is mounted, entry is placed in /etc/fstab, no errors Additional info: Here is 3 sets of module that were created: module host 1.0; require { type ricci_modstorage_t; type mount_exec_t; type consoletype_exec_t; type var_lib_t; class dir search; class file { execute getattr }; } #============= ricci_modstorage_t ============== allow ricci_modstorage_t consoletype_exec_t:file { execute getattr }; allow ricci_modstorage_t mount_exec_t:file execute; allow ricci_modstorage_t var_lib_t:dir search; module host2 1.0; require { type ricci_modstorage_t; type consoletype_exec_t; class file { read execute_no_trans }; } #============= ricci_modstorage_t ============== allow ricci_modstorage_t consoletype_exec_t:file { read execute_no_trans }; module host3 1.0; require { type debugfs_t; type ricci_modstorage_t; type fs_t; type file_t; type default_t; type mount_exec_t; type initrc_t; type etc_runtime_t; class capability { setuid setgid }; class unix_stream_socket connectto; class file { write read execute_no_trans append }; class dir { search getattr mounton }; class filesystem mount; } #============= ricci_modstorage_t ============== allow ricci_modstorage_t debugfs_t:dir search; allow ricci_modstorage_t default_t:dir { getattr mounton }; allow ricci_modstorage_t etc_runtime_t:dir search; allow ricci_modstorage_t etc_runtime_t:file { write append }; allow ricci_modstorage_t file_t:dir getattr; allow ricci_modstorage_t fs_t:filesystem mount; allow ricci_modstorage_t initrc_t:unix_stream_socket connectto; allow ricci_modstorage_t mount_exec_t:file { read execute_no_trans }; allow ricci_modstorage_t self:capability { setuid setgid };