Bug 173030 - (selinux) swapon wants to write /etc/blkid.tab
(selinux) swapon wants to write /etc/blkid.tab
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: FC5Target
  Show dependency treegraph
 
Reported: 2005-11-12 13:49 EST by Nicolas Mailhot
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-14 15:59:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nicolas Mailhot 2005-11-12 13:49:55 EST
Description of problem:

It seems that swapon needs write access to /etc/blkid.tab and is blocked by the
default policy 

audit(1131812561.197:2): avc:  denied  { write } for  pid=1234 comm="swapon"
name="blkid.tab" dev=dm-0 ino=1999275 scontext=system_u:system_r:fsadm_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
audit(1131812561.197:3): avc:  denied  { write } for  pid=1234 comm="swapon"
name="blkid.tab" dev=dm-0 ino=1999275 scontext=system_u:system_r:fsadm_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
Adding 2096472k swap on /dev/sda2.  Priority:-1 extents:1 across:2096472k
audit(1131812561.209:4): avc:  denied  { write } for  pid=1234 comm="swapon"
name="blkid.tab" dev=dm-0 ino=1999275 scontext=system_u:system_r:fsadm_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
audit(1131812561.213:5): avc:  denied  { write } for  pid=1234 comm="swapon"
name="blkid.tab" dev=dm-0 ino=1999275 scontext=system_u:system_r:fsadm_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
Adding 2096472k swap on /dev/sdb2.  Priority:-2 extents:1 across:2096472k

selinux-policy-targeted-1.27.2-19

(CCing Karel Zak and Ben Levenson so they can confirm swapon needs)
Comment 1 Karel Zak 2005-11-14 03:32:28 EST
Yes, add commands compiled with libblkid (swapon, swapoff, mount, fsck.ext2,
...) need write access to /etc/blkid.tab. 
Comment 2 Daniel Walsh 2005-11-14 11:06:26 EST
/etc/blkid.tab should have a security context of etc_runtime_t on it.  You can
fix this by executing

restorecon /etc/blklid.tab

The question is how did it get this bad context?  Do you know which app created
this file?  Did you boot with selinux disabled?  selinux=0?

Comment 3 Nicolas Mailhot 2005-11-14 13:10:39 EST
I ran for ~ 15min with selinux disabled to do a yum upgrade (policy changes
broke rpm sciplets this week) Also the lvm which contains the / was moved to na
new raid (lvm commands executed from the FC4 install disk manually), so maybe
that's the root of the problem

Should I do a restorecon / ?
Comment 4 Daniel Walsh 2005-11-14 14:25:11 EST
touch /.autorelabel
reboot 

is a better idea.
Comment 5 Nicolas Mailhot 2005-11-14 15:59:26 EST
Ok, this works
Sorry for bothering you - will be more careful next time I move a LVM

Note You need to log in before you can comment on or make changes to this bug.