Hide Forgot
Description of problem: Copying from bug 1649086: time->Wed Jul 24 14:32:23 2019 type=PROCTITLE msg=audit(1563996743.271:1477): proctitle=646C6D5F636F6E74726F6C64002D730030 type=SYSCALL msg=audit(1563996743.271:1477): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeb05150c0 a1=7ffeb0515280 a2=7ffeb0515b98 a3=7ffeb0518ec0 items=0 ppid=2221 pid=29252 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null) type=AVC msg=audit(1563996743.271:1477): avc: denied { execute } for pid=29252 comm="dlm_controld" name="lvm" dev="dm-0" ino=862736 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file permissive=0 [root@host-114 tmp]# ausearch -ts today -m AVC | audit2allow Update needed to the selinux policy #============= dlm_controld_t ============== allow dlm_controld_t lvm_exec_t:file execute; Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Here's a more complete look at what selinux failures in permissive mode. This probably should be handled with a domain transition. #============= dlm_controld_t ============== allow dlm_controld_t fixed_disk_device_t:blk_file { getattr ioctl open read }; allow dlm_controld_t kernel_t:system ipc_info; allow dlm_controld_t lvm_control_t:chr_file { getattr ioctl open read write }; allow dlm_controld_t lvm_etc_t:dir { getattr search }; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow dlm_controld_t lvm_exec_t:file map; allow dlm_controld_t lvm_exec_t:file { execute execute_no_trans open read }; #!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' allow dlm_controld_t random_device_t:chr_file read; allow dlm_controld_t self:capability ipc_lock; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow dlm_controld_t tmp_t:file map; allow dlm_controld_t udev_var_run_t:file { getattr open read };
Fixes from Fedora: commit 01b97b97fbe4b25a0fe2e3fe09a0a4cc619ac97e (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec@redhat.com> Date: Thu Jul 25 16:29:01 2019 +0200 Allow dlm_controld_t domain to transition to the lvm_t
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547