Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1732956

Summary: dlm_controld needs to execute lvm command
Product: Red Hat Enterprise Linux 8 Reporter: David Teigland <teigland>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: cluster-qe, lvrabec, mmalik, nstraz, plautrba, ssekidde, swhiteho, zpytela
Target Milestone: rcKeywords: AutoVerified
Target Release: 8.1Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:12:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Teigland 2019-07-24 20:14:22 UTC 
Description of problem:

Copying from bug 1649086:

time->Wed Jul 24 14:32:23 2019
type=PROCTITLE msg=audit(1563996743.271:1477): proctitle=646C6D5F636F6E74726F6C64002D730030
type=SYSCALL msg=audit(1563996743.271:1477): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeb05150c0 a1=7ffeb0515280 a2=7ffeb0515b98 a3=7ffeb0518ec0 items=0 ppid=2221 pid=29252 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
type=AVC msg=audit(1563996743.271:1477): avc:  denied  { execute } for  pid=29252 comm="dlm_controld" name="lvm" dev="dm-0" ino=862736 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file permissive=0
[root@host-114 tmp]# ausearch -ts today -m AVC | audit2allow


Update needed to the selinux policy

#============= dlm_controld_t ==============
allow dlm_controld_t lvm_exec_t:file execute;


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Nate Straz 2019-07-24 20:35:23 UTC 
Here's a more complete look at what selinux failures in permissive mode.  This probably should be handled with a domain transition.


#============= dlm_controld_t ==============
allow dlm_controld_t fixed_disk_device_t:blk_file { getattr ioctl open read };
allow dlm_controld_t kernel_t:system ipc_info;
allow dlm_controld_t lvm_control_t:chr_file { getattr ioctl open read write };
allow dlm_controld_t lvm_etc_t:dir { getattr search };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow dlm_controld_t lvm_exec_t:file map;
allow dlm_controld_t lvm_exec_t:file { execute execute_no_trans open read };

#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow dlm_controld_t random_device_t:chr_file read;
allow dlm_controld_t self:capability ipc_lock;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow dlm_controld_t tmp_t:file map;
allow dlm_controld_t udev_var_run_t:file { getattr open read };
Comment 2 Lukas Vrabec 2019-07-25 14:29:35 UTC 
Fixes from Fedora:
commit 01b97b97fbe4b25a0fe2e3fe09a0a4cc619ac97e (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 25 16:29:01 2019 +0200

    Allow dlm_controld_t domain to transition to the lvm_t
Comment 17 errata-xmlrpc 2019-11-05 22:12:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547