Bug 1031721 - OpenLMI Hardware provider needs updated selinux policy
Summary: OpenLMI Hardware provider needs updated selinux policy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
: 1032994 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-18 15:39 UTC by Peter Schiffer
Modified: 2014-12-10 09:30 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.12.1-118.el7
Doc Type: Known Issue
Doc Text:
The OpenLMI hardware provider does not work on systems with SELinux running in enforcing mode.
Clone Of:
Environment:
Last Closed: 2014-06-13 13:14:51 UTC
Target Upstream Version:

Attachments (Terms of Use)
avc_msgs.txt (3.84 KB, text/plain)
2013-11-18 15:39 UTC, Peter Schiffer 		no flags Details
avc_msgs.txt (3.84 KB, text/plain)
2013-11-19 17:40 UTC, Peter Schiffer 		no flags Details
avc.txt (23.92 KB, text/plain)
2013-12-13 15:53 UTC, Peter Schiffer 		no flags Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Description Peter Schiffer 2013-11-18 15:39:28 UTC 
Created attachment 825730 [details]
avc_msgs.txt

Description of problem:
Support for physical disks was added to the OpenLMI Hardware provider. To provide this information, it needs access to smartctl and lsblk programs.

Please, add appropriate policies to the RHEL-7 and Fedora 20+.

Thanks.
Comment 2 Miroslav Grepl 2013-11-19 14:10:24 UTC 
What is a path to OpenLMI Hardware provider?
Comment 3 Peter Schiffer 2013-11-19 14:16:59 UTC 
It should be:
/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt
Comment 4 Miroslav Grepl 2013-11-19 15:52:27 UTC 
We probably want to add a new openlmi type using


$ cat mypol.te
policy_module(mypol,1.0)
pegasus_openlmi_domain_template(hardware)



# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp
# chcon -t pegasus_openlmi_hardware_exec_t /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt

re-test and collect all AVC msgs.
Comment 5 Peter Schiffer 2013-11-19 17:40:23 UTC 
Created attachment 826216 [details]
avc_msgs.txt

recollected AVC msgs
Comment 6 Miroslav Grepl 2013-11-19 18:19:16 UTC 
Something is wrong.

ls -lZ /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt
Comment 7 Peter Schiffer 2013-11-20 10:43:14 UTC 
# ls -lZ /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt
-rwxr-xr-x. root root unconfined_u:object_r:pegasus_openlmi_hardware_exec_t:s0 /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt
Comment 8 Miroslav Grepl 2013-11-21 10:12:05 UTC 
Which is OK. We should not see pegasus_t but pegasus_openlmi_hardware_t.
Comment 9 Miroslav Grepl 2013-11-21 14:02:10 UTC 
*** Bug 1032994 has been marked as a duplicate of this bug. ***
Comment 10 Miroslav Grepl 2013-11-21 14:04:55 UTC 
Tomas,
could you try to play around the policy from the comment #4.
Comment 11 Miroslav Grepl 2013-12-09 20:44:07 UTC 
Any update?
Comment 12 Peter Schiffer 2013-12-13 15:53:31 UTC 
Created attachment 836360 [details]
avc.txt

Miroslav,

this is the latest avc log for the whole hardware provider (after calling all classes and associations).

Also, output of audit2allow says:

#============= pegasus_openlmi_hardware_t ==============
allow pegasus_openlmi_hardware_t dmidecode_exec_t:file { read getattr
open execute execute_no_trans };
allow pegasus_openlmi_hardware_t fixed_disk_device_t:blk_file { read
getattr open ioctl };
allow pegasus_openlmi_hardware_t fsadm_exec_t:file { read execute open
getattr execute_no_trans };
allow pegasus_openlmi_hardware_t hwdata_t:file { read getattr open };
allow pegasus_openlmi_hardware_t memory_device_t:chr_file { read open };
allow pegasus_openlmi_hardware_t self:capability sys_rawio;
allow pegasus_openlmi_hardware_t udev_var_run_t:file { read getattr open };

Do you need any other information to update selinux policy? Please don't forget we need it on both, RHEL-7 and Fedora 20+.

Thanks.

peter
Comment 13 Miroslav Grepl 2014-01-07 17:06:22 UTC 
pegasus_openlmi_hardware_t is what I wanted to see.
Comment 14 Miroslav Grepl 2014-01-07 17:21:41 UTC 
commit ced8c5191e38949395bec6067c371ebe40d582fc
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jan 7 18:20:44 2014 +0100

    Add support for cmpiLMI_Hardware-cimprovagt provider
Comment 17 Tomas Smetana 2014-01-24 12:26:30 UTC 
Sorry for the late update: I re-did the steps in comment #4:

[root@rawhide-local ~]# ls -lZ /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt
-rwxr-xr-x. root root unconfined_u:object_r:pegasus_openlmi_hardware_exec_t:s0 /usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt

So this seems to be OK.
Comment 19 Ludek Smid 2014-06-13 13:14:51 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.