Bug 656809
Summary: | MLS policy -- avc: denied { write } for ... comm="vgchange" name="ram0" dev=tmpfs ... | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.6 | CC: | dwalsh |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-2.4.6-295.el5 | Doc Type: | Bug Fix |
Doc Text: |
Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time:
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-01-13 21:51:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2010-11-24 07:54:56 UTC
Following output is shown in console when the machine starts up with MLS policy in enforcing mode: /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. device mapper prerequisites not met /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. device mapper prerequisites not met /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. device mapper prerequisites not met /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. device mapper prerequisites not met Setting up Logical Volume Management: File-based locking initialisation failed. No volume groups found Here is the relevant part of dmesg output: md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. device-mapper: multipath: version 1.0.5 loaded type=1400 audit(1290585354.140:4): avc: denied { write } for pid=1159 comm="multipath.stati" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1290585354.318:5): avc: denied { write } for pid=1164 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1290585354.324:6): avc: denied { write } for pid=1166 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1290585354.330:7): avc: denied { write } for pid=1168 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1290585354.337:8): avc: denied { write } for pid=1170 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file EXT3 FS on dm-0, internal journal SELinux: initialized (dev sda1, type vfat), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Adding 18677728k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1 across:18677728k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts We have dev_rw_lvm_control(initrc_t) in RHEL6. Basically it looks like I should backport some changes from RHEL6 to RHEL5 related to MLS policy. Yes. I have added MLS fixes to selinux-policy-2.4.6-295.el5.noarch policy. Milos, Karel, could you also test it. Please make sure services as setroubleshoot, xfs, etc. is not running during your MLS testing. Thanks. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time: /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html |