Description of problem: I want to detect my defunct logical volumes and try to use '/sbin/lvm lvscan' however it fails miserably Version-Release number of selected component (if applicable): lvm2-2.00.11-1.3 policy-1.10.2-4 How reproducible: always Steps to Reproduce: 1. Install fc2test2 on fresh partition on a system with existing lvm1 volumes 2. Enable SElinux in enforcing mode 3. Try to attach your volumes by trying '/bin/lvm vgscan' as root on your fresh system Actual results: [root@marit noa]# /sbin/lvm vgscan /etc/lvm: mkdir failed: Permission denied Expected results: (what happens when I run [root@marit noa]# setenforce 0) [root@marit noa]# /sbin/lvm vgscan Reading all physical volumes. This may take a while... Found volume group "vg0" using metadata type lvm1 Additional info:
'/sbin/lvm vgscan --mknodes' also fails when executed as root with enforcing enabled: [root@marit noa]# /sbin/lvm vgscan --mknodes Reading all physical volumes. This may take a while... /sys/block: opendir failed: Permission denied Found volume group "vg0" using metadata type lvm2 /dev/mapper/control: open failed: Permission denied Is device-mapper driver missing from kernel? [root@marit noa]# setenforce 0 [root@marit noa]# /sbin/lvm vgscan --mknodes Reading all physical volumes. This may take a while... Found volume group "vg0" using metadata type lvm2
Please attach avc messages from /var/log/messages
doing the following: # setenforce 0 # mv /etc/lvm /etc/lvm.bak # /sbin/lvm lvscan results in the following syslog message: Apr 12 14:52:08 marit kernel: audit(1081774328.383:0): avc: denied { create } for pid=6419 exe=/sbin/lvm name=lvm scontext=root:system_r:lvm_t tcontext=root:object_r:etc_t tclass=dir (i have updated to policy-1.10.2-5 since the original report)
Try adding file_type_auto_trans(lvm_t, etc_t, lvm_etc_t, dir) to /etc/security/selinux/src/policy/domains/program/lvm.te then type make -c /etc/security/selinux/src/policy/ load Does that help? I have added those lines to the latest policy
with policy-1.11.2-6 the test command above ('/sbin/lvm vgscan' without /etc/lvm) doesn't fail directly. However, the syslog gets the following: audit(1082483473.373:0): avc: denied { read } for pid=4063 exe=/sbin/lvm.static dev= ino=1 scontext=root:system_r:lvm_t tcontext=system_u:object_r:devpts_t tclass=dir audit(1082483474.146:0): avc: denied { getattr } for pid=4063 exe=/sbin/lvm.static path=/dev/shm dev= ino=2359 scontext=root:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t tclass=dir audit(1082483474.316:0): avc: denied { read } for pid=4063 exe=/sbin/lvm.static name=block dev= ino=243 scontext=root:system_r:lvm_t tcontext=system_u:object_r:sysfs_t tclass=dir
*** Bug 121323 has been marked as a duplicate of this bug. ***
*** Bug 121259 has been marked as a duplicate of this bug. ***
*** Bug 120962 has been marked as a duplicate of this bug. ***
Fixed in policy-1.11.2-18