Bug 120595 - LVM policy needs work
LVM policy needs work
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
triage|leonardjo|closed|rawhide
:
: 120962 121259 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-11 15:11 EDT by Noa Resare
Modified: 2007-11-30 17:10 EST (History)
5 users (show)

See Also:
Fixed In Version: 1.11.2-18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-10 14:03:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Noa Resare 2004-04-11 15:11:31 EDT
Description of problem:

I want to detect my defunct logical volumes and try to use '/sbin/lvm
lvscan' however it fails miserably

Version-Release number of selected component (if applicable):
lvm2-2.00.11-1.3
policy-1.10.2-4

How reproducible:
always

Steps to Reproduce:
1. Install fc2test2 on fresh partition on a system with existing lvm1
volumes
2. Enable SElinux in enforcing mode
3. Try to attach your volumes by trying '/bin/lvm vgscan' as root on
your fresh system
  
Actual results:
[root@marit noa]# /sbin/lvm vgscan
  /etc/lvm: mkdir failed: Permission denied


Expected results:
(what happens when I run [root@marit noa]# setenforce 0)
[root@marit noa]# /sbin/lvm vgscan
  Reading all physical volumes.  This may take a while...
  Found volume group "vg0" using metadata type lvm1


Additional info:
Comment 1 Noa Resare 2004-04-11 15:21:25 EDT
'/sbin/lvm vgscan --mknodes' also fails when executed as root with
enforcing enabled:

[root@marit noa]# /sbin/lvm vgscan --mknodes
  Reading all physical volumes.  This may take a while...
  /sys/block: opendir failed: Permission denied
  Found volume group "vg0" using metadata type lvm2
  /dev/mapper/control: open failed: Permission denied
  Is device-mapper driver missing from kernel?

[root@marit noa]# setenforce 0
[root@marit noa]# /sbin/lvm vgscan --mknodes
  Reading all physical volumes.  This may take a while...
  Found volume group "vg0" using metadata type lvm2
Comment 2 Daniel Walsh 2004-04-12 07:52:40 EDT
Please attach avc messages from /var/log/messages
Comment 3 Noa Resare 2004-04-12 08:48:24 EDT
doing the following: 
# setenforce 0
# mv /etc/lvm /etc/lvm.bak
# /sbin/lvm lvscan

results in the following syslog message:

Apr 12 14:52:08 marit kernel: audit(1081774328.383:0): avc:  denied  {
create } for  pid=6419 exe=/sbin/lvm name=lvm
scontext=root:system_r:lvm_t tcontext=root:object_r:etc_t tclass=dir


(i have updated to policy-1.10.2-5 since the original report)
Comment 4 Daniel Walsh 2004-04-12 09:43:07 EDT
Try adding
file_type_auto_trans(lvm_t, etc_t, lvm_etc_t, dir)
to
/etc/security/selinux/src/policy/domains/program/lvm.te 
then 
type
make -c /etc/security/selinux/src/policy/ load

Does that help?

I have added those lines to the latest policy
Comment 5 Noa Resare 2004-04-20 13:47:43 EDT
with policy-1.11.2-6 the test command above ('/sbin/lvm vgscan'
without /etc/lvm) doesn't fail directly. However, the syslog gets the
following:

audit(1082483473.373:0): avc:  denied  { read } for  pid=4063
exe=/sbin/lvm.static dev= ino=1 scontext=root:system_r:lvm_t
tcontext=system_u:object_r:devpts_t tclass=dir
audit(1082483474.146:0): avc:  denied  { getattr } for  pid=4063
exe=/sbin/lvm.static path=/dev/shm dev= ino=2359
scontext=root:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t tclass=dir
audit(1082483474.316:0): avc:  denied  { read } for  pid=4063
exe=/sbin/lvm.static name=block dev= ino=243
scontext=root:system_r:lvm_t tcontext=system_u:object_r:sysfs_t tclass=dir
Comment 6 Colin Walters 2004-04-20 17:00:54 EDT
*** Bug 121323 has been marked as a duplicate of this bug. ***
Comment 7 Colin Walters 2004-04-20 17:01:19 EDT
*** Bug 121259 has been marked as a duplicate of this bug. ***
Comment 8 Colin Walters 2004-04-20 17:02:01 EDT
*** Bug 120962 has been marked as a duplicate of this bug. ***
Comment 9 Colin Walters 2004-04-21 16:52:43 EDT
*** Bug 121323 has been marked as a duplicate of this bug. ***
Comment 10 Daniel Walsh 2004-04-22 16:23:38 EDT
Fixed in policy-1.11.2-18

Note You need to log in before you can comment on or make changes to this bug.