Bug 656809

Summary: MLS policy -- avc: denied { write } for ... comm="vgchange" name="ram0" dev=tmpfs ...
Product: Red Hat Enterprise Linux 5 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.6CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-295.el5 Doc Type: Bug Fix
Doc Text:
Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time: /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:51:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2010-11-24 07:54:56 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
RHEL5.6-Server-20101119.0
selinux-policy-targeted-2.4.6-293.el5
selinux-policy-2.4.6-293.el5
selinux-policy-mls-2.4.6-293.el5
selinux-policy-devel-2.4.6-293.el5

How reproducible:
always

Steps to Reproduce:
1. install MLS policy on a RHEL-5.6 machine, force filesystem auto-relabel
2. modify /etc/selinux/config so that the machine will start up with MLS policy in permissive mode
3. reboot into single mode
4. log in via console
5. run "ausearch -m avc -ts recent"
  
Actual results:
----
time->Wed Nov 24 02:07:44 2010
type=SYSCALL msg=audit(1290582464.869:285): arch=c0000032 syscall=1028 success=yes exit=5 a0=60000000000354b8 a1=44002 a2=0 a3=0 items=0 ppid=16970 pid=16975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vgchange" exe="/usr/sbin/lvm" subj=system_u:system_r:lvm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1290582464.869:285): avc:  denied  { write } for  pid=16975 comm="vgchange" name="ram0" dev=tmpfs ino=749 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file
----

Expected results:
no AVCs
Comment 1 Milos Malik 2010-11-24 07:59:36 UTC 
Following output is shown in console when the machine starts up with MLS policy in enforcing mode:

/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
Setting up Logical Volume Management:   File-based locking initialisation failed.
  No volume groups found

Here is the relevant part of dmesg output:

md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
device-mapper: multipath: version 1.0.5 loaded
type=1400 audit(1290585354.140:4): avc:  denied  { write } for  pid=1159 comm="multipath.stati" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.318:5): avc:  denied  { write } for  pid=1164 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.324:6): avc:  denied  { write } for  pid=1166 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.330:7): avc:  denied  { write } for  pid=1168 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.337:8): avc:  denied  { write } for  pid=1170 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
EXT3 FS on dm-0, internal journal
SELinux: initialized (dev sda1, type vfat), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Adding 18677728k swap on /dev/VolGroup00/LogVol01.  Priority:-1 extents:1 across:18677728k
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Comment 2 Miroslav Grepl 2010-11-24 13:11:29 UTC 
We have 

dev_rw_lvm_control(initrc_t)

in RHEL6.
Comment 3 Miroslav Grepl 2010-11-24 13:13:38 UTC 
Basically it looks like I should backport some changes from RHEL6 to RHEL5 related to MLS policy.
Comment 4 Daniel Walsh 2010-11-24 13:55:32 UTC 
Yes.
Comment 5 Miroslav Grepl 2010-11-24 17:04:23 UTC 
I have added MLS fixes to selinux-policy-2.4.6-295.el5.noarch policy.

Milos, Karel,
could you also test it. Please make sure services as setroubleshoot, xfs, etc. is not running during your MLS testing. Thanks.
Comment 9 Jaromir Hradilek 2011-01-05 16:28:26 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time:

  /dev/mapper/control: open failed: Permission denied
  Failure to communicate with kernel device-mapper driver.

With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.
Comment 11 errata-xmlrpc 2011-01-13 21:51:28 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html