Bug 120595 - LVM policy needs work
Summary: LVM policy needs work
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard: triage|leonardjo|closed|rawhide
Keywords:
: 120962 121259 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-04-11 19:11 UTC by Noa Resare
Modified: 2007-11-30 22:10 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2004-05-10 18:03:28 UTC


Attachments (Terms of Use)

Description Noa Resare 2004-04-11 19:11:31 UTC
Description of problem:

I want to detect my defunct logical volumes and try to use '/sbin/lvm
lvscan' however it fails miserably

Version-Release number of selected component (if applicable):
lvm2-2.00.11-1.3
policy-1.10.2-4

How reproducible:
always

Steps to Reproduce:
1. Install fc2test2 on fresh partition on a system with existing lvm1
volumes
2. Enable SElinux in enforcing mode
3. Try to attach your volumes by trying '/bin/lvm vgscan' as root on
your fresh system
  
Actual results:
[root@marit noa]# /sbin/lvm vgscan
  /etc/lvm: mkdir failed: Permission denied


Expected results:
(what happens when I run [root@marit noa]# setenforce 0)
[root@marit noa]# /sbin/lvm vgscan
  Reading all physical volumes.  This may take a while...
  Found volume group "vg0" using metadata type lvm1


Additional info:

Comment 1 Noa Resare 2004-04-11 19:21:25 UTC
'/sbin/lvm vgscan --mknodes' also fails when executed as root with
enforcing enabled:

[root@marit noa]# /sbin/lvm vgscan --mknodes
  Reading all physical volumes.  This may take a while...
  /sys/block: opendir failed: Permission denied
  Found volume group "vg0" using metadata type lvm2
  /dev/mapper/control: open failed: Permission denied
  Is device-mapper driver missing from kernel?

[root@marit noa]# setenforce 0
[root@marit noa]# /sbin/lvm vgscan --mknodes
  Reading all physical volumes.  This may take a while...
  Found volume group "vg0" using metadata type lvm2


Comment 2 Daniel Walsh 2004-04-12 11:52:40 UTC
Please attach avc messages from /var/log/messages

Comment 3 Noa Resare 2004-04-12 12:48:24 UTC
doing the following: 
# setenforce 0
# mv /etc/lvm /etc/lvm.bak
# /sbin/lvm lvscan

results in the following syslog message:

Apr 12 14:52:08 marit kernel: audit(1081774328.383:0): avc:  denied  {
create } for  pid=6419 exe=/sbin/lvm name=lvm
scontext=root:system_r:lvm_t tcontext=root:object_r:etc_t tclass=dir


(i have updated to policy-1.10.2-5 since the original report)

Comment 4 Daniel Walsh 2004-04-12 13:43:07 UTC
Try adding
file_type_auto_trans(lvm_t, etc_t, lvm_etc_t, dir)
to
/etc/security/selinux/src/policy/domains/program/lvm.te 
then 
type
make -c /etc/security/selinux/src/policy/ load

Does that help?

I have added those lines to the latest policy

Comment 5 Noa Resare 2004-04-20 17:47:43 UTC
with policy-1.11.2-6 the test command above ('/sbin/lvm vgscan'
without /etc/lvm) doesn't fail directly. However, the syslog gets the
following:

audit(1082483473.373:0): avc:  denied  { read } for  pid=4063
exe=/sbin/lvm.static dev= ino=1 scontext=root:system_r:lvm_t
tcontext=system_u:object_r:devpts_t tclass=dir
audit(1082483474.146:0): avc:  denied  { getattr } for  pid=4063
exe=/sbin/lvm.static path=/dev/shm dev= ino=2359
scontext=root:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t tclass=dir
audit(1082483474.316:0): avc:  denied  { read } for  pid=4063
exe=/sbin/lvm.static name=block dev= ino=243
scontext=root:system_r:lvm_t tcontext=system_u:object_r:sysfs_t tclass=dir


Comment 6 Colin Walters 2004-04-20 21:00:54 UTC
*** Bug 121323 has been marked as a duplicate of this bug. ***

Comment 7 Colin Walters 2004-04-20 21:01:19 UTC
*** Bug 121259 has been marked as a duplicate of this bug. ***

Comment 8 Colin Walters 2004-04-20 21:02:01 UTC
*** Bug 120962 has been marked as a duplicate of this bug. ***

Comment 9 Colin Walters 2004-04-21 20:52:43 UTC
*** Bug 121323 has been marked as a duplicate of this bug. ***

Comment 10 Daniel Walsh 2004-04-22 20:23:38 UTC
Fixed in policy-1.11.2-18


Note You need to log in before you can comment on or make changes to this bug.