Bug 681887

Summary: MLS -- AVCs appear when running: kpartx -v /dev/sda
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-76.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 12:12:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2011-03-03 14:37:30 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-73.el6.noarch
selinux-policy-mls-3.7.19-73.el6.noarch
selinux-policy-3.7.19-73.el6.noarch

How reproducible:
always

Steps to Reproduce:
# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
# cat /proc/partitions 
major minor  #blocks  name

   8        0  488386584 sda
   8        1     512000 sda1
   8        2  487873536 sda2
 253        0   52428800 dm-0
 253        1   20627456 dm-1
 253        2  414814208 dm-2
# kpartx -v /dev/sda
sda1 : 0 1024000 /dev/sda 2048
sda2 : 0 975747072 /dev/sda 1026048
#

Actual results:
----
time->Thu Mar  3 09:24:12 2011
type=SYSCALL msg=audit(1299162252.172:40): arch=c000003e syscall=2 success=yes exit=3 a0=7fff2163ff80 a1=2 a2=a3a a3=10 items=0 ppid=2660 pid=2747 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="kpartx" exe="/sbin/kpartx" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1299162252.172:40): avc:  denied  { open } for  pid=2747 comm="kpartx" name="control" dev=devtmpfs ino=5452 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1299162252.172:40): avc:  denied  { read write } for  pid=2747 comm="kpartx" name="control" dev=devtmpfs ino=5452 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
----
time->Thu Mar  3 09:24:48 2011
type=SYSCALL msg=audit(1299162288.765:42): arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=1268 a2=7fff8b87d838 a3=0 items=0 ppid=2660 pid=2751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="kpartx" exe="/sbin/kpartx" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1299162288.765:42): avc:  denied  { ioctl } for  pid=2751 comm="kpartx" path="/dev/sda" dev=devtmpfs ino=6230 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file
----
time->Thu Mar  3 09:24:48 2011
type=SYSCALL msg=audit(1299162288.765:41): arch=c000003e syscall=2 success=yes exit=4 a0=7fff8b87fd83 a1=0 a2=77f a3=0 items=0 ppid=2660 pid=2751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="kpartx" exe="/sbin/kpartx" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1299162288.765:41): avc:  denied  { open } for  pid=2751 comm="kpartx" name="sda" dev=devtmpfs ino=6230 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file
type=AVC msg=audit(1299162288.765:41): avc:  denied  { read } for  pid=2751 comm="kpartx" name="sda" dev=devtmpfs ino=6230 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file
----

Expected results:
no AVCs
Comment 2 Daniel Walsh 2011-03-03 16:58:57 UTC 
If you label this lvm_exec_t does it work?
Comment 3 Milos Malik 2011-03-04 09:04:55 UTC 
If I change the label of /sbin/kpartx to lvm_exec_t, only 1 AVC appears when running kpartx -v /dev/sda. Here is the AVC:

type=1400 audit(1299229175.589:12470): avc:  denied  { ipc_info } for  pid=2347 comm="kpartx" scontext=root:sysadm_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=system

The AVC is very similar to one mentioned in bug report https://bugzilla.redhat.com/show_bug.cgi?id=681882 .
Comment 4 Miroslav Grepl 2011-03-04 11:42:33 UTC 
kernel_get_sysvipc_info(lvm_t)

will be added to lvm policy. Could you test it with this rule in a local policy module.
Comment 5 Milos Malik 2011-03-04 12:49:56 UTC 
No AVCs appear when following local policy is loaded:

policy_module(testpolicy,1.0)

require {
    type lvm_t;
}

kernel_get_sysvipc_info(lvm_t)
Comment 6 Miroslav Grepl 2011-03-04 13:02:13 UTC 
Great. Thanks.
Comment 7 Miroslav Grepl 2011-03-04 13:02:38 UTC 
*** Bug 681882 has been marked as a duplicate of this bug. ***
Comment 8 Miroslav Grepl 2011-03-08 16:51:18 UTC 
Fixed in selinux-policy-3.7.19-76.el6
Comment 11 errata-xmlrpc 2011-05-19 12:12:35 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html