1130675 – SELinux leads drbd.service to drbdadm: sh: modinfo: command not found

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1130675 - SELinux leads drbd.service to drbdadm: sh: modinfo: command not found

Summary: SELinux leads drbd.service to drbdadm: sh: modinfo: command not found

Keywords:
Status:	CLOSED DUPLICATE of bug 1134883
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-16 00:09 UTC by Robert Scheck
Modified:	2015-10-19 14:44 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.13.1-30.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-10-19 06:01:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Robert Scheck 2014-08-16 00:09:59 UTC

Description of problem:
[root@tux ~]# systemctl start drbd.service
Job for drbd.service failed. See 'systemctl status drbd.service' and 'journalctl -xn' for details.
[root@tux ~]#

[root@tux ~]# systemctl status drbd.service
drbd.service - DRBD -- please disable. Unless you are NOT using a cluster manager.
   Loaded: loaded (/usr/lib/systemd/system/drbd.service; disabled)
   Active: failed (Result: exit-code) since Fr 2014-08-15 21:13:43 CEST; 4s ago
  Process: 3469 ExecStart=/sbin/drbdadm adjust-with-progress all (code=exited, status=1/FAILURE)
  Process: 3464 ExecStartPre=/sbin/drbdadm sh-nop (code=exited, status=0/SUCCESS)
 Main PID: 3469 (code=exited, status=1/FAILURE)

Aug 15 21:13:43 tux.example.net drbdadm[3469]: sh: modinfo: command not found
Aug 15 21:13:43 tux.example.net drbdadm[3469]: [
Aug 15 21:13:43 tux.example.net drbdadm[3469]: create res: data:failed(new-resource:20) www:failed(new-resource:20)
Aug 15 21:13:43 tux.example.net drbdadm[3469]: prepare disk: [skipped:data] [skipped:www]
Aug 15 21:13:43 tux.example.net drbdadm[3469]: adjust disk: [skipped:data] [skipped:www]
Aug 15 21:13:43 tux.example.net drbdadm[3469]: adjust net: [skipped:data] [skipped:www]
Aug 15 21:13:43 tux.example.net drbdadm[3469]: ]
Aug 15 21:13:43 tux.example.net systemd[1]: drbd.service: main process exited, code=exited, status=1/FAILURE
Aug 15 21:13:43 tux.example.net systemd[1]: Failed to start DRBD -- please disable. Unless you are NOT using a cluster manager..
Aug 15 21:13:43 tux.example.net systemd[1]: Unit drbd.service entered failed state.
[root@tux ~]#

[root@tux ~]# which modinfo
/usr/sbin/modinfo
[root@tux ~]#

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch

DRBD 8.4.5 and drbd-utils 8.9.1, built from the regular upstream release 
tarballs.

How reproducible:
Everytime, see above and below.

Actual results:
SELinux leads drbd.service to drbdadm: sh: modinfo: command not found

Expected results:
No AVC denied and starting service.

Additional info:
type=SERVICE_START msg=audit(1408147326.087:1931): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="drbd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1408147328.872:1932): avc:  denied  { write } for  pid=6349 comm="drbdsetup-84" name="drbd" dev="tmpfs" ino=35226 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1408147328.872:1932): avc:  denied  { remove_name } for  pid=6349 comm="drbdsetup-84" name="drbd-minor-0.conf" dev="tmpfs" ino=10149 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1408147328.872:1932): avc:  denied  { unlink } for  pid=6349 comm="drbdsetup-84" name="drbd-minor-0.conf" dev="tmpfs" ino=10149 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1408147328.872:1932): arch=c000003e syscall=87 success=yes exit=0 a0=7fff064649f0 a1=40cd11 a2=7fff06464a0f a3=7fff064647b0 items=0 ppid=6348 pid=6349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup-84" exe="/usr/lib/drbd/drbdsetup-84" subj=system_u:system_r:drbd_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1408147328.936:1933): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="drbd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1408147328.945:1934): avc:  denied  { add_name } for  pid=6359 comm="drbdadm-84" name="drbd-resource-data.conf" scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1408147328.945:1934): avc:  denied  { create } for  pid=6359 comm="drbdadm-84" name="drbd-resource-data.conf" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1408147328.945:1934): arch=c000003e syscall=88 success=yes exit=0 a0=76a250 a1=7fffbd238b30 a2=1000 a3=7fffbd2378c0 items=0 ppid=1 pid=6359 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdadm-84" exe="/usr/lib/drbd/drbdadm-84" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408147328.950:1935): avc:  denied  { read write } for  pid=6368 comm="drbdmeta" name="drbd-147-0" dev="tmpfs" ino=31463 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1408147328.950:1935): avc:  denied  { open } for  pid=6368 comm="drbdmeta" path="/run/lock/drbd-147-0" dev="tmpfs" ino=31463 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1408147328.950:1935): arch=c000003e syscall=2 success=yes exit=2 a0=1c734a0 a1=42 a2=180 a3=7fff369e64a0 items=0 ppid=6359 pid=6368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdmeta" exe="/usr/sbin/drbdmeta" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408147328.950:1936): avc:  denied  { lock } for  pid=6368 comm="drbdmeta" path="/run/lock/drbd-147-0" dev="tmpfs" ino=31463 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1408147328.950:1936): arch=c000003e syscall=72 success=yes exit=0 a0=2 a1=7 a2=7fff369e66e0 a3=7fff369e64a0 items=0 ppid=6359 pid=6368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdmeta" exe="/usr/sbin/drbdmeta" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408147328.952:1937): avc:  denied  { write } for  pid=6368 comm="drbdmeta" name="sda3" dev="devtmpfs" ino=1253 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1408147328.952:1937): arch=c000003e syscall=2 success=yes exit=4 a0=1c73410 a1=4002 a2=61a630 a3=7fff369a6540 items=0 ppid=6359 pid=6368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdmeta" exe="/usr/sbin/drbdmeta" subj=system_u:system_r:drbd_t:s0 key=(null)

Comment 1 Robert Scheck 2014-08-16 00:13:49 UTC

Above was with "setenforce 0", below was before with "setenforce 1":

type=AVC msg=audit(1408130023.468:225): avc:  denied  { read } for  pid=3465 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.468:225): arch=c000003e syscall=2 success=no exit=-13 a0=7f271e1add8a a1=80000 a2=1b6 a3=0 items=0 ppid=3464 pid=3465 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.469:226): avc:  denied  { getattr } for  pid=3465 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.469:226): arch=c000003e syscall=4 success=no exit=-13 a0=23d3ce0 a1=7fffdaf907d0 a2=7fffdaf907d0 a3=12 items=0 ppid=3464 pid=3465 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.481:227): avc:  denied  { read } for  pid=3466 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.481:227): arch=c000003e syscall=2 success=no exit=-13 a0=7ffe7c3e1d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3464 pid=3466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.482:228): avc:  denied  { getattr } for  pid=3466 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.482:228): arch=c000003e syscall=4 success=no exit=-13 a0=96ece0 a1=7fffd5a675c0 a2=7fffd5a675c0 a3=12 items=0 ppid=3464 pid=3466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.492:229): avc:  denied  { read } for  pid=3471 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.492:229): arch=c000003e syscall=2 success=no exit=-13 a0=7fcd9f2d1d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3469 pid=3471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.493:230): avc:  denied  { getattr } for  pid=3471 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.493:230): arch=c000003e syscall=4 success=no exit=-13 a0=1f2dce0 a1=7fff7005e3b0 a2=7fff7005e3b0 a3=12 items=0 ppid=3469 pid=3471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.495:231): avc:  denied  { read } for  pid=3472 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.495:231): arch=c000003e syscall=2 success=no exit=-13 a0=7f455f3acd8a a1=80000 a2=1b6 a3=0 items=0 ppid=3469 pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.496:232): avc:  denied  { getattr } for  pid=3472 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.496:232): arch=c000003e syscall=4 success=no exit=-13 a0=1d6ece0 a1=7fffa34db560 a2=7fffa34db560 a3=12 items=0 ppid=3469 pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.503:233): avc:  denied  { read } for  pid=3474 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.503:233): arch=c000003e syscall=2 success=no exit=-13 a0=7f82873aed8a a1=80000 a2=1b6 a3=0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.503:234): avc:  denied  { execute } for  pid=3474 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.503:234): arch=c000003e syscall=59 success=no exit=-13 a0=1841bb0 a1=1841e10 a2=1840ef0 a3=7fff0239eac0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.503:235): avc:  denied  { getattr } for  pid=3474 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.503:235): arch=c000003e syscall=4 success=no exit=-13 a0=1841bb0 a1=7fff0239ec50 a2=7fff0239ec50 a3=7fff0239eac0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.503:236): avc:  denied  { getattr } for  pid=3474 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.503:236): arch=c000003e syscall=4 success=no exit=-13 a0=1841bb0 a1=7fff0239ec30 a2=7fff0239ec30 a3=7fff0239eac0 items=0 ppid=3473 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.506:237): avc:  denied  { read } for  pid=3476 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.506:237): arch=c000003e syscall=2 success=no exit=-13 a0=7f0ed0806d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.506:238): avc:  denied  { execute } for  pid=3476 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.506:238): arch=c000003e syscall=59 success=no exit=-13 a0=2565bb0 a1=2565e10 a2=2564ef0 a3=7fff7f8ee190 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.506:239): avc:  denied  { getattr } for  pid=3476 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.506:239): arch=c000003e syscall=4 success=no exit=-13 a0=2565bb0 a1=7fff7f8ee320 a2=7fff7f8ee320 a3=7fff7f8ee190 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.506:240): avc:  denied  { getattr } for  pid=3476 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.506:240): arch=c000003e syscall=4 success=no exit=-13 a0=2565bb0 a1=7fff7f8ee300 a2=7fff7f8ee300 a3=7fff7f8ee190 items=0 ppid=3475 pid=3476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.508:241): avc:  denied  { read } for  pid=3478 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.508:241): arch=c000003e syscall=2 success=no exit=-13 a0=7f000e8c4d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.509:242): avc:  denied  { execute } for  pid=3478 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.509:242): arch=c000003e syscall=59 success=no exit=-13 a0=82dbb0 a1=82de10 a2=82cef0 a3=7fffecb652e0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.509:243): avc:  denied  { getattr } for  pid=3478 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.509:243): arch=c000003e syscall=4 success=no exit=-13 a0=82dbb0 a1=7fffecb65470 a2=7fffecb65470 a3=7fffecb652e0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.509:244): avc:  denied  { getattr } for  pid=3478 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.509:244): arch=c000003e syscall=4 success=no exit=-13 a0=82dbb0 a1=7fffecb65450 a2=7fffecb65450 a3=7fffecb652e0 items=0 ppid=3477 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.511:245): avc:  denied  { read } for  pid=3480 comm="sh" name="passwd" dev="sda1" ino=787104 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.511:245): arch=c000003e syscall=2 success=no exit=-13 a0=7ff8e61d1d8a a1=80000 a2=1b6 a3=0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.512:246): avc:  denied  { execute } for  pid=3480 comm="sh" name="kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.512:246): arch=c000003e syscall=59 success=no exit=-13 a0=1203bb0 a1=1203e10 a2=1202ef0 a3=7fffaad483b0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.512:247): avc:  denied  { getattr } for  pid=3480 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.512:247): arch=c000003e syscall=4 success=no exit=-13 a0=1203bb0 a1=7fffaad48540 a2=7fffaad48540 a3=7fffaad483b0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1408130023.512:248): avc:  denied  { getattr } for  pid=3480 comm="sh" path="/usr/bin/kmod" dev="sda1" ino=922458 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1408130023.512:248): arch=c000003e syscall=4 success=no exit=-13 a0=1203bb0 a1=7fffaad48520 a2=7fffaad48520 a3=7fffaad483b0 items=0 ppid=3479 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)

Comment 4 Miroslav Grepl 2014-08-18 12:05:01 UTC

Are there drbd scripts which cause these AVCs?

Comment 5 Robert Scheck 2014-08-18 16:40:02 UTC

Don't know if it's that what you are looking for?

$ strings /usr/sbin/drbdadm | grep modinfo
modinfo -F version drbd
$ 

$ file /usr/sbin/drbdadm
/usr/sbin/drbdadm: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x0d9dade372992ce025fb176b0891f13024fe7817, stripped
$

Comment 9 Miroslav Grepl 2014-11-05 09:28:48 UTC

commit e2e7de4c5defd0d42ad75b2f3b1c694109ecc59e
Author: Miroslav Grepl <mgrepl>
Date:   Wed Nov 5 10:27:15 2014 +0100

    Make drbd as nsswitch domain to make it working with sssd.

Comment 10 Robert Scheck 2014-11-05 14:26:13 UTC

Is selinux-policy-3.13.1-8.el7.noarch somewhere available for testing?

Comment 12 Milos Malik 2015-01-19 13:06:46 UTC

Here are the latest policy RPMs:
 * http://people.redhat.com/dwalsh/SELinux/RHEL7/noarch/

Could you re-test your scenario? Thanks.

Comment 16 Lukas Vrabec 2015-06-30 14:27:46 UTC

commit b3ffafe59962de5eb494897a695a9670a3302ecb
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jun 30 15:28:18 2015 +0200

    Allow drbd_t write to fixed_disk_device.

Comment 19 Lukas Vrabec 2015-10-15 12:58:43 UTC

Same issue like in #1134883

Comment 20 Miroslav Grepl 2015-10-19 06:01:42 UTC


*** This bug has been marked as a duplicate of bug 1134883 ***

Note You need to log in before you can comment on or make changes to this bug.