Bug 956260

Summary: MLS: Cannot boot machine with SELinux in enforcing with LVM
Product: Red Hat Enterprise Linux 7 Reporter: Miroslav Vadkerti <mvadkert>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Miroslav Vadkerti <mvadkert>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: arubin, dwalsh, jjaburek, mgrepl, mmalik
Target Milestone: betaKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:41:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 717785, 893599    

Description Miroslav Vadkerti 2013-04-24 14:29:00 UTC 
Description of problem:
I cannot boot my test RHEL7 machine in MLS with SELinux in enforcing mode. In /var/log/messages I see these denials:

[root/sysadm_r/s0@cc-ns1 ~]# grep lvm2-activation /var/log/messages  | grep 15:34
Apr 24 15:34:15 cc-ns1 kernel: [    5.814535] type=1400 audit(1366810441.813:59): avc:  granted  { setfscreate } for  pid=284 comm="lvm2-activation" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tclass=process
Apr 24 15:34:15 cc-ns1 kernel: [    5.814571] type=1300 audit(1366810441.813:59): arch=c000003e syscall=1 success=yes exit=32 a0=5 a1=1ecc9f0 a2=20 a3=30733a745f6b63 items=0 ppid=1 pid=284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="lvm2-activation" exe="/usr/lib/systemd/system-generators/lvm2-activation-generator" subj=system_u:system_r:lvm_t:s0-s15:c0.c1023 key=(null)
Apr 24 15:34:15 cc-ns1 kernel: [    5.814773] type=1400 audit(1366810441.813:60): avc:  granted  { setfscreate } for  pid=284 comm="lvm2-activation" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tclass=process
Apr 24 15:34:15 cc-ns1 kernel: [    5.814815] type=1300 audit(1366810441.813:60): arch=c000003e syscall=1 success=yes exit=0 a0=5 a1=0 a2=0 a3=746165726373662f items=0 ppid=1 pid=284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="lvm2-activation" exe="/usr/lib/systemd/system-generators/lvm2-activation-generator" subj=system_u:system_r:lvm_t:s0-s15:c0.c1023 key=(null)
Apr 24 15:34:15 cc-ns1 kernel: [    5.815295] type=1400 audit(1366810441.814:61): avc:  denied  { write } for  pid=284 comm="lvm2-activation" name="generator" dev="tmpfs" ino=9736 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir
Apr 24 15:34:15 cc-ns1 kernel: [    5.815321] type=1400 audit(1366810441.814:61): avc:  denied  { add_name } for  pid=284 comm="lvm2-activation" name="lvm2-activation-early.service" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir
Apr 24 15:34:15 cc-ns1 kernel: [    5.815373] type=1400 audit(1366810441.814:61): avc:  denied  { create } for  pid=284 comm="lvm2-activation" name="lvm2-activation-early.service" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file
Apr 24 15:34:15 cc-ns1 kernel: [    5.815404] type=1400 audit(1366810441.814:61): avc:  denied  { write open } for  pid=284 comm="lvm2-activation" path="/run/systemd/generator/lvm2-activation-early.service" dev="tmpfs" ino=9791 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file
Apr 24 15:34:15 cc-ns1 kernel: [    5.815432] type=1300 audit(1366810441.814:61): arch=c000003e syscall=2 success=yes exit=4 a0=6040e0 a1=802c1 a2=1b6 a3=3 items=0 ppid=1 pid=284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="lvm2-activation" exe="/usr/lib/systemd/system-generators/lvm2-activation-generator" subj=system_u:system_r:lvm_t:s0-s15:c0.c1023 key=(null)
Apr 24 15:34:15 cc-ns1 kernel: [    5.815459] type=1400 audit(1366810441.814:62): avc:  denied  { getattr } for  pid=284 comm="lvm2-activation" path="/run/systemd/generator/lvm2-activation-early.service" dev="tmpfs" ino=9791 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-32.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install RHEL7 in MLS mode with LVM partitions
2. Try to boot with SELinux in enforcing mode
  
Actual results:
Cannot boot + AVC denials

Expected results:
Can boot and no AVC denials

Additional info:
Comment 2 Daniel Walsh 2013-04-25 18:07:51 UTC 
Did you do something to show this?

Apr 24 15:34:15 cc-ns1 kernel: [    5.814773] type=1400 audit(1366810441.813:60): avc:  granted  { setfscreate } for  pid=284 comm="lvm2-activation" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tclass=process

This is an auditallow line.  

d709564ec1ea19bfef770a57d05625946c5256e0 fixes lvm creating its own unit file in git.
Comment 3 Miroslav Vadkerti 2013-04-25 18:16:35 UTC 
No, I didn't do anything special to show this. I didn't add any auditallow rules.

(In reply to comment #2)
> Did you do something to show this?
> 
> Apr 24 15:34:15 cc-ns1 kernel: [    5.814773] type=1400
> audit(1366810441.813:60): avc:  granted  { setfscreate } for  pid=284
> comm="lvm2-activation" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tclass=process
> 
> This is an auditallow line.  
> 
> d709564ec1ea19bfef770a57d05625946c5256e0 fixes lvm creating its own unit
> file in git.
Comment 4 Daniel Walsh 2013-04-25 18:27:05 UTC 
Maybe this is something in the audit system causing this, or MLS LSPP installs a special policy that watches for SELinux interactions?
Comment 5 Miroslav Grepl 2013-04-25 18:53:58 UTC 
AFAIK MLS LSPP installs a special policy.
Comment 13 Miroslav Grepl 2013-06-24 18:29:35 UTC 
Added additional fixes.

commit 602dd4a8cd08ea856cd96ca6727770a1242d1655
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jun 24 20:29:00 2013 +0200

    Allow lvm_t to create default targets for filesystem handling
Comment 14 Miroslav Vadkerti 2013-07-12 08:42:46 UTC 
VERIFIED as fixed in selinux-policy-3.12.1-59.el7. This bug will be implicitly tested by our CC testing efforts. Putting qe_test_coverage+.
Comment 15 Ludek Smid 2014-06-13 09:41:07 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.