Bug 691822
| Summary: | GFS2 won't mount -> /dev/dlm* nodes have incorrect selinux label | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | thomas |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | agk, cfeist, domg444, dwalsh, fdinitto, lhh, mgrepl, swhiteho, xjakub |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.9.7-40.fc14 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-04-24 23:59:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Miroslav, lets add /dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) to F13,F14,F15 and RHEL6 The patch to cman init is kind of moot because the devices don't exist at that time. Also, as a side note (not entirely sure that is relevant), those devices are created dynamically based on the services using them. Other than /dev/dlm* there is no other portion of the name that is constant. Fabio What creates these nodes then and when? fs/dlm kernel via udev. If that fails, libdlm from userland will do it as fall back. libdlm users will request a lock space with "name" and that will become dlm_name. Each name is unique. Fabio Fixed in selinux-policy-3.9.7-39.fc14 selinux-policy-3.9.7-40.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-40.fc14 Package selinux-policy-3.9.7-40.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-40.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-40.fc14 then log in and leave karma (feedback). selinux-policy-3.9.7-40.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Unable to mount gfs2 file systems after upgrading to latest selinux-policy and SELinux=enforcing The SELinux fcontext (selinux-policy-3.9.7-37.fc14.noarch) for the /dev nodes created by dlm/dlm_controld are set to device_t when they should be dlm_control_device_t for, minimally; /dev/dlm-control /dev/dlm-monitor /dev/dlm_plock /dev/dlm_rgmanager Not sure if dlm_rgmanager needs to have the same fcontext. At present, it's also set to device_t. Version-Release number of selected component (if applicable): selinux-policy-3.9.7-37.fc14.noarch cman-3.1.1-1.fc14.x86_64 How reproducible: With selinux=enforcing, it's every time the system attempts to mount a gfs2 filesystem after restarting the cluster (/etc/init.d/cman restart). Steps to Reproduce: 1. Upgrade to selinux-policy-3.9.7-37.fc14 & selinux=Enforcing 2. service cman start 3. service gfs2 start Actual results: gfs_controld fails to start (get error "dlm: no local IP address has been set", gfs2 file system doesn't mount and the following AVC's appear in /var/log/audit/audit.log: type=AVC msg=audit(1301325627.439:67): avc: denied { getattr } for pid=6086 comm="dlm_controld" path="/dev/dlm-control" dev=devtmpfs ino=26028 scontext=unconfined_u:system_ r:dlm_controld_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1301325627.439:68): avc: denied { read } for pid=6086 comm="dlm_controld" name="dlm-monitor" dev=devtmpfs ino=26030 scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1301325627.439:68): avc: denied { open } for pid=6086 comm="dlm_controld" name="dlm-monitor" dev=devtmpfs ino=26030 scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1301325627.452:69): avc: denied { write } for pid=6086 comm="dlm_controld" name="dlm_plock" dev=devtmpfs ino=26036 scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Expected results: Able to mount gfs2 file systems (and no AVCs for dlm_controld while with SELINUX=Enforcing Additional info: After updating the fcontexts for /dev/dlm* to dlm_control_device_t (from device_t) and updating load_kernel_modules() function in the cman init script: fcontext updates: semanage fcontext -a -t dlm_control_device_t -f -c /dev/dlm-control semanage fcontext -a -t dlm_control_device_t -f -c /dev/dlm_plock semanage fcontext -a -t dlm_control_device_t -f -c /dev/dlm-monitor semanage fcontext -a -t dlm_control_device_t -f -c /dev/dlm_rgmanager /etc/init.d/cman update: load_kernel_modules() { errmsg=$( modprobe configfs 2>&1 ) || return 1 errmsg=$( modprobe dlm 2>&1 ) || return 1 restorecon -F /dev/dlm* || return 1 # Added } Cluster now starts as expected, gfs2 file systems can be mounted, etc. So I think the following things need to be addressed: RHCS needs to ensure the DLM device nodes - /dev/dlm{-control, -monitor, _plock, _rgmanager} - get set to the correct fcontext (dlm_control_device_t) and not their present "device_t". selinux-policy needs to add FC specs for all of the above DLM nodes.