Bug 744575

Summary: SELinux is preventing /sbin/drbdsetup from 'module_request' accesses on the system Unknown.
Product: [Fedora] Fedora Reporter: Jerry Amundson <jamundso>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:3b2caf2a83c848195628c69c8287a9a775bf30759b95bbf06b37ddb5f505d3e4
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-09 14:35:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jerry Amundson 2011-10-09 14:14:25 UTC
libreport version: 2.0.6
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.0-0.rc8.git0.1.fc16.i686.PAE
reason:         SELinux is preventing /sbin/drbdsetup from 'module_request' accesses on the system Unknown.
time:           Sun Oct  9 09:13:50 2011

description:
:SELinux is preventing /sbin/drbdsetup from 'module_request' accesses on the system Unknown.
:
:*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************
:
:If you want to allow all domains to have the kernel load modules
:Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean.
:Do
:setsebool -P domain_kernel_load_modules 1
:
:*****  Plugin catchall (11.6 confidence) suggests  ***************************
:
:If you believe that drbdsetup should be allowed module_request access on the Unknown system by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep drbdsetup /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:drbd_t:s0
:Target Context                system_u:system_r:kernel_t:s0
:Target Objects                Unknown [ system ]
:Source                        drbdsetup
:Source Path                   /sbin/drbdsetup
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           drbd-utils-8.3.9-1.fc15
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.9.16-38.fc15
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug
:                              30 14:43:52 UTC 2011 i686 i686
:Alert Count                   8
:First Seen                    Tue 06 Sep 2011 07:51:19 PM CDT
:Last Seen                     Thu 22 Sep 2011 07:31:24 PM CDT
:Local ID                      88849d12-9519-4ff1-9dfe-62b9547ca42d
:
:Raw Audit Messages
:type=AVC msg=audit(1316737884.896:27): avc:  denied  { module_request } for  pid=1253 comm="drbdsetup" kmod="hmac(sha1)" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
:
:
:type=AVC msg=audit(1316737884.896:27): avc:  denied  { module_request } for  pid=1253 comm="drbdsetup" kmod="hmac(sha1)-all" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
:
:
:type=SYSCALL msg=audit(1316737884.896:27): arch=i386 syscall=socketcall success=yes exit=146 a0=9 a1=bfa44120 a2=8267008 a3=4 items=0 ppid=1190 pid=1253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=drbdsetup exe=/sbin/drbdsetup subj=system_u:system_r:drbd_t:s0 key=(null)
:
:Hash: drbdsetup,drbd_t,kernel_t,system,module_request
:
:audit2allow
:
:#============= drbd_t ==============
:#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
:
:allow drbd_t kernel_t:system module_request;
:
:audit2allow -R
:
:#============= drbd_t ==============
:#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
:
:allow drbd_t kernel_t:system module_request;
:

Comment 1 Jerry Amundson 2011-10-09 14:35:08 UTC
Never mind - I should have looked at the date first, as this avc was prior to upgrading to Fedora 16.