Bug 1031721 - OpenLMI Hardware provider needs updated selinux policy
OpenLMI Hardware provider needs updated selinux policy
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
: 1032994 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-18 10:39 EST by Peter Schiffer
Modified: 2014-12-10 04:30 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-118.el7
Doc Type: Known Issue
Doc Text:
The OpenLMI hardware provider does not work on systems with SELinux running in enforcing mode.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 09:14:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
avc_msgs.txt (3.84 KB, text/plain)
2013-11-18 10:39 EST, Peter Schiffer
no flags Details
avc_msgs.txt (3.84 KB, text/plain)
2013-11-19 12:40 EST, Peter Schiffer
no flags Details
avc.txt (23.92 KB, text/plain)
2013-12-13 10:53 EST, Peter Schiffer
no flags Details

  None (edit)
Description Peter Schiffer 2013-11-18 10:39:28 EST
Created attachment 825730 [details]
avc_msgs.txt

Description of problem:
Support for physical disks was added to the OpenLMI Hardware provider. To provide this information, it needs access to smartctl and lsblk programs.

Please, add appropriate policies to the RHEL-7 and Fedora 20+.

Thanks.
Comment 2 Miroslav Grepl 2013-11-19 09:10:24 EST
What is a path to OpenLMI Hardware provider?
Comment 3 Peter Schiffer 2013-11-19 09:16:59 EST
It should be:
/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt
Comment 4 Miroslav Grepl 2013-11-19 10:52:27 EST
We probably want to add a new openlmi type using


$ cat mypol.te
policy_module(mypol,1.0)
pegasus_openlmi_domain_template(hardware)



# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp
# chcon -t pegasus_openlmi_hardware_exec_t /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt

re-test and collect all AVC msgs.
Comment 5 Peter Schiffer 2013-11-19 12:40:23 EST
Created attachment 826216 [details]
avc_msgs.txt

recollected AVC msgs
Comment 6 Miroslav Grepl 2013-11-19 13:19:16 EST
Something is wrong.

ls -lZ /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt
Comment 7 Peter Schiffer 2013-11-20 05:43:14 EST
# ls -lZ /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt
-rwxr-xr-x. root root unconfined_u:object_r:pegasus_openlmi_hardware_exec_t:s0 /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt
Comment 8 Miroslav Grepl 2013-11-21 05:12:05 EST
Which is OK. We should not see pegasus_t but pegasus_openlmi_hardware_t.
Comment 9 Miroslav Grepl 2013-11-21 09:02:10 EST
*** Bug 1032994 has been marked as a duplicate of this bug. ***
Comment 10 Miroslav Grepl 2013-11-21 09:04:55 EST
Tomas,
could you try to play around the policy from the comment #4.
Comment 11 Miroslav Grepl 2013-12-09 15:44:07 EST
Any update?
Comment 12 Peter Schiffer 2013-12-13 10:53:31 EST
Created attachment 836360 [details]
avc.txt

Miroslav,

this is the latest avc log for the whole hardware provider (after calling all classes and associations).

Also, output of audit2allow says:

#============= pegasus_openlmi_hardware_t ==============
allow pegasus_openlmi_hardware_t dmidecode_exec_t:file { read getattr
open execute execute_no_trans };
allow pegasus_openlmi_hardware_t fixed_disk_device_t:blk_file { read
getattr open ioctl };
allow pegasus_openlmi_hardware_t fsadm_exec_t:file { read execute open
getattr execute_no_trans };
allow pegasus_openlmi_hardware_t hwdata_t:file { read getattr open };
allow pegasus_openlmi_hardware_t memory_device_t:chr_file { read open };
allow pegasus_openlmi_hardware_t self:capability sys_rawio;
allow pegasus_openlmi_hardware_t udev_var_run_t:file { read getattr open };

Do you need any other information to update selinux policy? Please don't forget we need it on both, RHEL-7 and Fedora 20+.

Thanks.

peter
Comment 13 Miroslav Grepl 2014-01-07 12:06:22 EST
pegasus_openlmi_hardware_t is what I wanted to see.
Comment 14 Miroslav Grepl 2014-01-07 12:21:41 EST
commit ced8c5191e38949395bec6067c371ebe40d582fc
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Jan 7 18:20:44 2014 +0100

    Add support for cmpiLMI_Hardware-cimprovagt provider
Comment 17 Tomas Smetana 2014-01-24 07:26:30 EST
Sorry for the late update: I re-did the steps in comment #4:

[root@rawhide-local ~]# ls -lZ /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt
-rwxr-xr-x. root root unconfined_u:object_r:pegasus_openlmi_hardware_exec_t:s0 /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt

So this seems to be OK.
Comment 19 Ludek Smid 2014-06-13 09:14:51 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.