Bug 215517 - ricci - Need SELinux policy change to handle modstorage accessing fstab and gfs.ko
ricci - Need SELinux policy change to handle modstorage accessing fstab and g...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: conga (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jim Parsons
Corey Marthaler
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-14 09:52 EST by Len DiMaggio
Modified: 2009-04-16 18:33 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 15:40:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Audit log (164.29 KB, text/plain)
2006-11-14 09:52 EST, Len DiMaggio
no flags Details

  None (edit)
Description Len DiMaggio 2006-11-14 09:52:02 EST
Description of problem:
ricci - Need SELinux policy change to handle modstorage accessing fstab

Version-Release number of selected component (if applicable):
RHEL5-Server-20061102.2
ricci-0.8-23.el5
selinux-policy-2.4.3-11
selinux-policy-devel-2.4.3-11
selinux-policy-targeted-2.4.3-11

How reproducible:
100%

Steps to Reproduce:
1. Startup ricci service with SELinux=Enforcing or Permissive
2. At luci web app, access the disk storage of the node running ricci
3. Observe the following in the SELinux audit.log:

type=AVC msg=audit(1163515282.660:363): avc:  denied  { write } for  pid=10833
comm="ricci-modstorag" name="fstab" dev=dm-0 ino=3290184
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file

type=AVC msg=audit(1163515282.740:364): avc:  denied  { write } for  pid=10833
comm="ricci-modstorag" name="fstab" dev=dm-0 ino=3290184
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file



The audit.log file is attached to this bz.
  
Actual results:
The AVC messages written to the audit.log

Expected results:
No errors

Additional info:
See attachment.
Comment 1 Len DiMaggio 2006-11-14 09:52:04 EST
Created attachment 141152 [details]
Audit log
Comment 2 Jim Parsons 2006-11-14 10:51:34 EST
Sorry, Dan - we have another train wreck. mod storage wants to write to
/etc/fstab so that mount info can be persisted.
Comment 3 Len DiMaggio 2006-11-14 16:22:58 EST
Package selinux-policy-2.4.3-13.noarch.rpm solves the above problem with /etc/fstab.

I just spotted a new one:

type=AVC msg=audit(1163538757.095:457): avc:  denied  { read } for  pid=9922
comm="modinfo" name="gfs.ko" dev=dm-0 ino=2543171
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1163538757.099:458): avc:  denied  { getattr } for  pid=9922
comm="modinfo" name="gfs.ko" dev=dm-0 ino=2543171
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC_PATH msg=audit(1163538757.099:458): 
path="/lib/modules/2.6.18-1.2740.el5/extra/gfs/gfs.ko"
Comment 4 Daniel Walsh 2006-11-15 08:16:06 EST
Fixed in selinux-policy-2.4.4-1
Comment 5 Len DiMaggio 2006-11-15 13:21:11 EST
Verified to be fixed in selinux-policy-2.4.4-1 - I'll close the bz when the
policy makes it into a build.
Comment 6 Len DiMaggio 2007-01-23 11:19:57 EST
Verifed fix with these packages:

modcluster-0.8-27.el5
selinux-policy-2.4.6-28.el5
selinux-policy-targeted-2.4.6-28.el5

Note You need to log in before you can comment on or make changes to this bug.