Bug 1732956 - dlm_controld needs to execute lvm command
Summary: dlm_controld needs to execute lvm command
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
Target Milestone: rc
: 8.1
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2019-07-24 20:14 UTC by David Teigland
Modified: 2020-05-22 13:21 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-05 22:12:08 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3547 0 None None None 2019-11-05 22:12:18 UTC

Description David Teigland 2019-07-24 20:14:22 UTC
Description of problem:

Copying from bug 1649086:

time->Wed Jul 24 14:32:23 2019
type=PROCTITLE msg=audit(1563996743.271:1477): proctitle=646C6D5F636F6E74726F6C64002D730030
type=SYSCALL msg=audit(1563996743.271:1477): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeb05150c0 a1=7ffeb0515280 a2=7ffeb0515b98 a3=7ffeb0518ec0 items=0 ppid=2221 pid=29252 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
type=AVC msg=audit(1563996743.271:1477): avc:  denied  { execute } for  pid=29252 comm="dlm_controld" name="lvm" dev="dm-0" ino=862736 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file permissive=0
[root@host-114 tmp]# ausearch -ts today -m AVC | audit2allow

Update needed to the selinux policy

#============= dlm_controld_t ==============
allow dlm_controld_t lvm_exec_t:file execute;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 1 Nate Straz 2019-07-24 20:35:23 UTC
Here's a more complete look at what selinux failures in permissive mode.  This probably should be handled with a domain transition.

#============= dlm_controld_t ==============
allow dlm_controld_t fixed_disk_device_t:blk_file { getattr ioctl open read };
allow dlm_controld_t kernel_t:system ipc_info;
allow dlm_controld_t lvm_control_t:chr_file { getattr ioctl open read write };
allow dlm_controld_t lvm_etc_t:dir { getattr search };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow dlm_controld_t lvm_exec_t:file map;
allow dlm_controld_t lvm_exec_t:file { execute execute_no_trans open read };

#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow dlm_controld_t random_device_t:chr_file read;
allow dlm_controld_t self:capability ipc_lock;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow dlm_controld_t tmp_t:file map;
allow dlm_controld_t udev_var_run_t:file { getattr open read };

Comment 2 Lukas Vrabec 2019-07-25 14:29:35 UTC
Fixes from Fedora:
commit 01b97b97fbe4b25a0fe2e3fe09a0a4cc619ac97e (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Jul 25 16:29:01 2019 +0200

    Allow dlm_controld_t domain to transition to the lvm_t

Comment 17 errata-xmlrpc 2019-11-05 22:12:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.