Bug 224028 - SElinux type=AVC - denied messages seen for various Conga tasks
Summary: SElinux type=AVC - denied messages seen for various Conga tasks
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: conga
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Jim Parsons
QA Contact: Corey Marthaler
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-23 18:31 UTC by Len DiMaggio
Modified: 2009-04-16 22:34 UTC (History)
7 users (show)

Fixed In Version: 5.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-07 18:28:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
audit.log from ricci (cluster) node (55.58 KB, text/plain)
2007-01-23 19:00 UTC, Len DiMaggio
no flags Details

Description Len DiMaggio 2007-01-23 18:31:33 UTC
Description of problem:
SElinux avc: type=AVC - denied  { search } for ricci-modrpm

Version-Release number of selected component (if applicable):
ricci-0.8-29.el5
selinux-policy-2.4.6-28.el5
selinux-policy-targeted-2.4.6-28.el5

How reproducible:
100%

Steps to Reproduce:
1. Create a new cluster via luci
2. Observe the search denied error listed below in the /var/log/audit/audit.log
on the cluster nodes 
3. No error is reported to the user via luci
  
Actual results:
type=AVC msg=audit(1169575594.393:43): avc:  denied  { search } for  pid=7409
comm="ricci-modrpm" name="sys" dev=proc ino=-268435428
scontext=system_u:system_r:ricci_modrpm_t:s0
tcontext=system_u:object_r:sysctl_t:s0 tclass=dir

Expected results:
No such denied  { search } messages

Additional info:

Comment 1 Len DiMaggio 2007-01-23 18:56:27 UTC
Correction - with SELINUX=enforcing - creating a new cluster fails. audit.log
lists these AVC messages


type=AVC msg=audit(1169578022.423:20): avc:  denied  { search } for  pid=2375
comm="ricci-modrpm" name="sys" dev=proc ino=-268435428
scontext=system_u:system_r:ricci_modrpm_t:s0
tcontext=system_u:object_r:sysctl_t:s0 tclass=dir
type=AVC msg=audit(1169578022.423:20): avc:  denied  { search } for  pid=2375
comm="ricci-modrpm" name="kernel" dev=proc ino=-268435416
scontext=system_u:system_r:ricci_modrpm_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=AVC msg=audit(1169578022.423:20): avc:  denied  { read } for  pid=2375
comm="ricci-modrpm" name="osrelease" dev=proc ino=-268435414
scontext=system_u:system_r:ricci_modrpm_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file

----------------- Node reboots ---------------------

type=AVC msg=audit(1169578176.313:7): avc:  denied  { search } for  pid=2182
comm="ricci-modrpm" name="sys" dev=proc ino=-268435428
scontext=system_u:system_r:ricci_modrpm_t:s0
tcontext=system_u:object_r:sysctl_t:s0 tclass=dir


Comment 2 Len DiMaggio 2007-01-23 19:00:40 UTC
Created attachment 146337 [details]
audit.log from ricci (cluster) node 

I just saw an additional error for aisexec - the audit.log is attached - I'll
talk to Dan W. and will append additional conga-specific SELinux problems to
this bz.

type=AVC msg=audit(1169566510.494:7): avc:  denied  { search } for  pid=1722
comm="aisexec" name="lib" dev=dm-0 ino=359042
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=dir

Comment 3 Len DiMaggio 2007-01-23 19:53:13 UTC
The test servers also have openais-0.80.2-1.el5 installed.

Comment 4 Len DiMaggio 2007-01-23 21:01:37 UTC
Seeing these errors with:  

selinux-policy-2.4.6-29
selinux-policy-devel-2.4.6-29
selinux-policy-targeted-2.4.6-29

type=AVC msg=audit(1169585021.575:9): avc:  denied  { create } for  pid=2352
comm="aisexec" name="openais" scontext=system_u:system_r:ccs_t:s0
tcontext=system_u:object_r:ccs_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1169585021.617:10): avc:  denied  { write } for  pid=2352
comm="aisexec" name="sbin" dev=dm-0 ino=1305602
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir


Comment 5 Len DiMaggio 2007-01-23 21:03:09 UTC
Additional errors - this time when the cluster was created with shared storage
(clvm) enabled:


The system is going down for reboot NOW!

type=AVC msg=audit(1169585810.806:29): avc:  denied  { write } for  pid=3275
comm="chkconfig" name="rc0.d" dev=dm-0 ino=2056381
scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1169585810.806:29): avc:  denied  { remove_name } for 
pid=3275 comm="chkconfig" name="K74ipmi" dev=dm-0 ino=2056329
scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1169585810.806:29): avc:  denied  { unlink } for  pid=3275
comm="chkconfig" name="K74ipmi" dev=dm-0 ino=2056329
scontext=system_u:system_r:ricci_modservice_t:s0 tcontext=root:object_r:etc_t:s0
tclass=lnk_file
type=AVC msg=audit(1169585810.808:30): avc:  denied  { add_name } for  pid=3275
comm="chkconfig" name="K74ipmi" scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1169585810.808:30): avc:  denied  { create } for  pid=3275
comm="chkconfig" name="K74ipmi" scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
type=AVC msg=audit(1169585810.820:31): avc:  denied  { unlink } for  pid=3275
comm="chkconfig" name="K76clvmd" dev=dm-0 ino=2057373
scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file

Connection to tng3-1.lab.msp.redhat.com closed by remote host.

type=AVC msg=audit(1169585959.102:12): avc:  denied  { write } for  pid=2307
comm="aisexec" name="ringid_10.15.89.174" dev=dm-0 ino=2284808
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1169585972.149:20): avc:  denied  { connectto } for  pid=2416
comm="vgscan"
path=00636C766D64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:clvmd_t:s0
tclass=unix_stream_socket
type=AVC msg=audit(1169585972.767:21): avc:  denied  { write } for  pid=2417
comm="lvm" name=".cache" dev=dm-0 ino=2057277
scontext=system_u:system_r:lvm_t:s0 tcontext=root:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1169585972.769:22): avc:  denied  { unlink } for  pid=2417
comm="lvm" name=".cache" dev=dm-0 ino=2057277
scontext=system_u:system_r:lvm_t:s0 tcontext=root:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1169585972.924:23): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="001" dev=tmpfs ino=3337 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.924:23):  path="/dev/bus/usb/001/001"
type=AVC msg=audit(1169585972.925:24): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="hdd" dev=tmpfs ino=3406 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=AVC_PATH msg=audit(1169585972.925:24):  path="/dev/hdd"
type=AVC msg=audit(1169585972.926:25): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="kcore" dev=proc ino=-268435434
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0
tclass=file
type=AVC_PATH msg=audit(1169585972.926:25):  path="/proc/kcore"
type=AVC msg=audit(1169585972.928:26): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="gpmctl" dev=tmpfs ino=6662
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0
tclass=sock_file
type=AVC_PATH msg=audit(1169585972.928:26):  path="/dev/gpmctl"
type=AVC msg=audit(1169585972.928:27): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="initctl" dev=tmpfs ino=953
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:initctl_t:s0
tclass=fifo_file
type=AVC_PATH msg=audit(1169585972.928:27):  path="/dev/initctl"
type=AVC msg=audit(1169585972.928:28): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="event0" dev=tmpfs ino=3384
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.928:28):  path="/dev/input/event0"
type=AVC msg=audit(1169585972.929:29): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="mice" dev=tmpfs ino=2383
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.929:29):  path="/dev/input/mice"
type=AVC msg=audit(1169585972.929:30): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="kmsg" dev=tmpfs ino=1550
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:printk_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.929:30):  path="/dev/kmsg"
type=AVC msg=audit(1169585972.929:31): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="MAKEDEV" dev=dm-0 ino=2742024
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=file
type=AVC_PATH msg=audit(1169585972.929:31):  path="/sbin/MAKEDEV"
type=AVC msg=audit(1169585972.929:32): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="control" dev=tmpfs ino=719
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.929:32):  path="/dev/mapper/control"
type=AVC msg=audit(1169585972.929:33): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="mem" dev=tmpfs ino=1602 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.929:33):  path="/dev/mem"
type=AVC msg=audit(1169585972.930:34): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="tun" dev=tmpfs ino=1201 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.930:34):  path="/dev/net/tun"
type=AVC msg=audit(1169585972.930:35): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="nvram" dev=tmpfs ino=2422
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:nvram_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.930:35):  path="/dev/nvram"
type=AVC msg=audit(1169585972.930:36): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="parport0" dev=tmpfs ino=1192
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.930:36):  path="/dev/parport0"
type=AVC msg=audit(1169585972.930:37): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="ppp" dev=tmpfs ino=1205 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.930:37):  path="/dev/ppp"
type=AVC msg=audit(1169585972.930:38): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="ptmx" dev=tmpfs ino=628 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.930:38):  path="/dev/ptmx"
type=AVC msg=audit(1169585972.931:39): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="random" dev=tmpfs ino=1574
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.931:39):  path="/dev/random"
type=AVC msg=audit(1169585972.931:40): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="rtc" dev=tmpfs ino=629 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.931:40):  path="/dev/rtc"
type=AVC msg=audit(1169585972.931:41): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="sg0" dev=tmpfs ino=4062 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.931:41):  path="/dev/sg0"
type=AVC msg=audit(1169585972.931:42): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="/" dev=tmpfs ino=4829 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC_PATH msg=audit(1169585972.931:42):  path="/dev/shm"
type=AVC msg=audit(1169585972.931:43): avc:  denied  { read } for  pid=2415
comm="clvmd" name="/" dev=tmpfs ino=4829 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1169585972.932:44): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="snapshot" dev=tmpfs ino=2446
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:apm_bios_t:s0
tclass=chr_file
type=AVC_PATH msg=audit(1169585972.932:44):  path="/dev/snapshot"
type=AVC msg=audit(1169585972.932:45): avc:  denied  { ptrace } for  pid=2415
comm="clvmd" scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=process
type=AVC msg=audit(1169585972.933:46): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="urandom" dev=tmpfs ino=1559
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.933:46):  path="/dev/urandom"
type=AVC msg=audit(1169585973.183:47): avc:  denied  { read } for  pid=2415
comm="clvmd" name="hdd" dev=tmpfs ino=3406 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=AVC msg=audit(1169585973.253:48): avc:  denied  { read write } for 
pid=2415 comm="clvmd" name="control" dev=tmpfs ino=719
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1169585973.254:49): avc:  denied  { ioctl } for  pid=2415
comm="clvmd" name="control" dev=tmpfs ino=719
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585973.254:49):  path="/dev/mapper/control"


Comment 6 Len DiMaggio 2007-01-24 15:27:11 UTC
With:
selinux-policy-2.4.6-30.el5
selinux-policy-targeted-2.4.6-30.el5

Now seeing these AVC messages after the cluster nodes reboot:


type=AVC msg=audit(1169652313.674:13): avc:  denied  { getattr } for  pid=2445
comm="clvmd" name="kcore" dev=proc ino=-268435434
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0
tclass=file
type=AVC_PATH msg=audit(1169652313.674:13):  path="/proc/kcore"
type=AVC msg=audit(1169652313.675:14): avc:  denied  { getattr } for  pid=2445
comm="clvmd" name="initctl" dev=tmpfs ino=953
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:initctl_t:s0
tclass=fifo_file
type=AVC_PATH msg=audit(1169652313.675:14):  path="/dev/initctl"
type=AVC msg=audit(1169652313.676:15): avc:  denied  { getattr } for  pid=2445
comm="clvmd" name="MAKEDEV" dev=dm-0 ino=2742024
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=file
type=AVC_PATH msg=audit(1169652313.676:15):  path="/sbin/MAKEDEV"
type=AVC msg=audit(1169652313.677:16): avc:  denied  { getattr } for  pid=2445
comm="clvmd" name="/" dev=tmpfs ino=4822 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC_PATH msg=audit(1169652313.677:16):  path="/dev/shm"
type=AVC msg=audit(1169652313.677:17): avc:  denied  { read } for  pid=2445
comm="clvmd" name="/" dev=tmpfs ino=4822 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1169652313.805:18): avc:  denied  { read } for  pid=2445
comm="clvmd" name="hdd" dev=tmpfs ino=3488 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file


Comment 7 Daniel Walsh 2007-01-24 15:40:32 UTC
Added rules to fix this to selinux-policy-2.4.6-31.el5

Comment 8 Len DiMaggio 2007-01-24 16:11:49 UTC
A couple more:

type=AVC msg=audit(1169653773.919:19): avc:  denied  { unlink } for  pid=4582
comm="chkconfig" name="K74ipmi" dev=dm-0 ino=2056329
scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
type=AVC msg=audit(1169653773.919:20): avc:  denied  { create } for  pid=4582
comm="chkconfig" name="K74ipmi" scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file



Comment 9 Len DiMaggio 2007-01-24 16:20:42 UTC
And this:

type=AVC msg=audit(1169655513.340:27): avc:  denied  { sys_admin } for  pid=2417
comm="clvmd" capability=21 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=capability


Comment 10 Len DiMaggio 2007-01-24 20:35:01 UTC
Additional AVC messages:   


type=AVC msg=audit(1169668712.387:151): avc:  denied  { read } for  pid=19334
comm="pidof" name="exe" dev=proc ino=154337288
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=lnk_file
type=AVC msg=audit(1169668712.387:151): avc:  denied  { ptrace } for  pid=19334
comm="pidof" scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1169668712.388:152): avc:  denied  { search } for  pid=19334
comm="pidof" name="2399" dev=proc ino=157220866
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=dir
type=AVC msg=audit(1169668712.388:152): avc:  denied  { read } for  pid=19334
comm="pidof" name="stat" dev=proc ino=157220877
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=file
type=AVC msg=audit(1169668712.388:153): avc:  denied  { getattr } for  pid=19334
comm="pidof" name="stat" dev=proc ino=157220877
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=file
type=AVC_PATH msg=audit(1169668712.388:153):  path="/proc/2399/stat"
type=AVC msg=audit(1169668712.388:154): avc:  denied  { read } for  pid=19334
comm="pidof" name="exe" dev=proc ino=157220872
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=lnk_file
type=AVC msg=audit(1169668712.388:154): avc:  denied  { ptrace } for  pid=19334
comm="pidof" scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=process
type=AVC msg=audit(1169668712.394:155): avc:  denied  { ptrace } for  pid=19334
comm="pidof" scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1169668712.396:156): avc:  denied  { ptrace } for  pid=19334
comm="pidof" scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:ricci_modstorage_t:s0 tclass=process
type=AVC msg=audit(1169668712.997:157): avc:  denied  { sys_admin } for 
pid=2427 comm="clvmd" capability=21 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=capability
type=AVC msg=audit(1169668713.034:158): avc:  denied  { search } for  pid=19339
comm="touch" name="lock" dev=dm-0 ino=359073
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1169668713.034:158): avc:  denied  { write } for  pid=19339
comm="touch" name="clvmd" dev=dm-0 ino=359617
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file


Comment 11 Len DiMaggio 2007-01-26 02:54:01 UTC
Just saw these with: 
selinux-policy-2.4.6-31
selinux-policy-devel-2.4.6-31
selinux-policy-targeted-2.4.6-31

type=AVC msg=audit(1169740819.574:7): avc:  denied  { search } for  pid=2083
comm="lvmconf" name="nscd" dev=dm-0 ino=359391
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1169740819.600:8): avc:  denied  { write } for  pid=2083
comm="lvmconf" name="lvm" dev=dm-0 ino=2056322
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=dir
type=AVC msg=audit(1169740819.600:8): avc:  denied  { add_name } for  pid=2083
comm="lvmconf" name=".lvmconf-script.tmp"
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=dir
type=AVC msg=audit(1169740819.600:8): avc:  denied  { create } for  pid=2083
comm="lvmconf" name=".lvmconf-script.tmp"
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1169740819.602:9): avc:  denied  { write } for  pid=2083
comm="lvmconf" name=".lvmconf-script.tmp" dev=dm-0 ino=2057876
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC_PATH msg=audit(1169740819.602:9):  path="/etc/lvm/.lvmconf-script.tmp"
type=AVC msg=audit(1169740819.621:10): avc:  denied  { remove_name } for 
pid=2091 comm="rm" name=".lvmconf-script.tmp" dev=dm-0 ino=2057876
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=dir
type=AVC msg=audit(1169740819.621:10): avc:  denied  { unlink } for  pid=2091
comm="rm" name=".lvmconf-script.tmp" dev=dm-0 ino=2057876
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1169740902.076:17): avc:  denied  { add_name } for  pid=2310
comm="aisexec" name="core.2310" scontext=system_u:system_r:ccs_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=AVC msg=audit(1169740902.076:17): avc:  denied  { create } for  pid=2310
comm="aisexec" name="core.2310" scontext=system_u:system_r:ccs_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1169740902.076:17): avc:  denied  { write } for  pid=2310
comm="aisexec" name="core.2310" dev=dm-0 ino=1315044
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1169763958.003:86): avc:  denied  { rmdir } for  pid=30893
comm="lvremove" name="new_vg" dev=tmpfs ino=4749
scontext=root:system_r:lvm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=dir
type=AVC msg=audit(1169764955.610:90): avc:  denied  { rmdir } for  pid=32300
comm="lvremove" name="new_vol_group" dev=tmpfs ino=331676
scontext=root:system_r:lvm_t:s0-s0:c0.c1023 tcontext=root:object_r:device_t:s0
tclass=dir


Comment 12 Len DiMaggio 2007-01-31 14:27:38 UTC
Hadn't seen this one before:

type=AVC msg=audit(1170252416.439:12): avc:  denied  { read } for  pid=2402
comm="clvmd" name="hdd" dev=tmpfs ino=3330 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file


Note: name="hdd"

Comment 13 Daniel Walsh 2007-02-01 21:32:59 UTC
Fixed in selinux-policy-2.4.6-35

Comment 14 Kiersten (Kerri) Anderson 2007-04-23 17:10:55 UTC
Fixing Product Name.  Cluster Suite was merged into Enterprise Linux for version
5.0.

Comment 17 Kiersten (Kerri) Anderson 2007-05-07 18:05:36 UTC
Think this one was fixed in rhel5.0 release.  Jim, please close if that is true.


Note You need to log in before you can comment on or make changes to this bug.