Bug 224028 - SElinux type=AVC - denied messages seen for various Conga tasks
SElinux type=AVC - denied messages seen for various Conga tasks
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: conga (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jim Parsons
Corey Marthaler
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-23 13:31 EST by Len DiMaggio
Modified: 2009-04-16 18:34 EDT (History)
7 users (show)

See Also:
Fixed In Version: 5.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-07 14:28:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log from ricci (cluster) node (55.58 KB, text/plain)
2007-01-23 14:00 EST, Len DiMaggio
no flags Details

  None (edit)
Description Len DiMaggio 2007-01-23 13:31:33 EST
Description of problem:
SElinux avc: type=AVC - denied  { search } for ricci-modrpm

Version-Release number of selected component (if applicable):
ricci-0.8-29.el5
selinux-policy-2.4.6-28.el5
selinux-policy-targeted-2.4.6-28.el5

How reproducible:
100%

Steps to Reproduce:
1. Create a new cluster via luci
2. Observe the search denied error listed below in the /var/log/audit/audit.log
on the cluster nodes 
3. No error is reported to the user via luci
  
Actual results:
type=AVC msg=audit(1169575594.393:43): avc:  denied  { search } for  pid=7409
comm="ricci-modrpm" name="sys" dev=proc ino=-268435428
scontext=system_u:system_r:ricci_modrpm_t:s0
tcontext=system_u:object_r:sysctl_t:s0 tclass=dir

Expected results:
No such denied  { search } messages

Additional info:
Comment 1 Len DiMaggio 2007-01-23 13:56:27 EST
Correction - with SELINUX=enforcing - creating a new cluster fails. audit.log
lists these AVC messages


type=AVC msg=audit(1169578022.423:20): avc:  denied  { search } for  pid=2375
comm="ricci-modrpm" name="sys" dev=proc ino=-268435428
scontext=system_u:system_r:ricci_modrpm_t:s0
tcontext=system_u:object_r:sysctl_t:s0 tclass=dir
type=AVC msg=audit(1169578022.423:20): avc:  denied  { search } for  pid=2375
comm="ricci-modrpm" name="kernel" dev=proc ino=-268435416
scontext=system_u:system_r:ricci_modrpm_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=AVC msg=audit(1169578022.423:20): avc:  denied  { read } for  pid=2375
comm="ricci-modrpm" name="osrelease" dev=proc ino=-268435414
scontext=system_u:system_r:ricci_modrpm_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file

----------------- Node reboots ---------------------

type=AVC msg=audit(1169578176.313:7): avc:  denied  { search } for  pid=2182
comm="ricci-modrpm" name="sys" dev=proc ino=-268435428
scontext=system_u:system_r:ricci_modrpm_t:s0
tcontext=system_u:object_r:sysctl_t:s0 tclass=dir
Comment 2 Len DiMaggio 2007-01-23 14:00:40 EST
Created attachment 146337 [details]
audit.log from ricci (cluster) node 

I just saw an additional error for aisexec - the audit.log is attached - I'll
talk to Dan W. and will append additional conga-specific SELinux problems to
this bz.

type=AVC msg=audit(1169566510.494:7): avc:  denied  { search } for  pid=1722
comm="aisexec" name="lib" dev=dm-0 ino=359042
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=dir
Comment 3 Len DiMaggio 2007-01-23 14:53:13 EST
The test servers also have openais-0.80.2-1.el5 installed.
Comment 4 Len DiMaggio 2007-01-23 16:01:37 EST
Seeing these errors with:  

selinux-policy-2.4.6-29
selinux-policy-devel-2.4.6-29
selinux-policy-targeted-2.4.6-29

type=AVC msg=audit(1169585021.575:9): avc:  denied  { create } for  pid=2352
comm="aisexec" name="openais" scontext=system_u:system_r:ccs_t:s0
tcontext=system_u:object_r:ccs_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1169585021.617:10): avc:  denied  { write } for  pid=2352
comm="aisexec" name="sbin" dev=dm-0 ino=1305602
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
Comment 5 Len DiMaggio 2007-01-23 16:03:09 EST
Additional errors - this time when the cluster was created with shared storage
(clvm) enabled:


The system is going down for reboot NOW!

type=AVC msg=audit(1169585810.806:29): avc:  denied  { write } for  pid=3275
comm="chkconfig" name="rc0.d" dev=dm-0 ino=2056381
scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1169585810.806:29): avc:  denied  { remove_name } for 
pid=3275 comm="chkconfig" name="K74ipmi" dev=dm-0 ino=2056329
scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1169585810.806:29): avc:  denied  { unlink } for  pid=3275
comm="chkconfig" name="K74ipmi" dev=dm-0 ino=2056329
scontext=system_u:system_r:ricci_modservice_t:s0 tcontext=root:object_r:etc_t:s0
tclass=lnk_file
type=AVC msg=audit(1169585810.808:30): avc:  denied  { add_name } for  pid=3275
comm="chkconfig" name="K74ipmi" scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1169585810.808:30): avc:  denied  { create } for  pid=3275
comm="chkconfig" name="K74ipmi" scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
type=AVC msg=audit(1169585810.820:31): avc:  denied  { unlink } for  pid=3275
comm="chkconfig" name="K76clvmd" dev=dm-0 ino=2057373
scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file

Connection to tng3-1.lab.msp.redhat.com closed by remote host.

type=AVC msg=audit(1169585959.102:12): avc:  denied  { write } for  pid=2307
comm="aisexec" name="ringid_10.15.89.174" dev=dm-0 ino=2284808
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1169585972.149:20): avc:  denied  { connectto } for  pid=2416
comm="vgscan"
path=00636C766D64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:clvmd_t:s0
tclass=unix_stream_socket
type=AVC msg=audit(1169585972.767:21): avc:  denied  { write } for  pid=2417
comm="lvm" name=".cache" dev=dm-0 ino=2057277
scontext=system_u:system_r:lvm_t:s0 tcontext=root:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1169585972.769:22): avc:  denied  { unlink } for  pid=2417
comm="lvm" name=".cache" dev=dm-0 ino=2057277
scontext=system_u:system_r:lvm_t:s0 tcontext=root:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1169585972.924:23): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="001" dev=tmpfs ino=3337 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.924:23):  path="/dev/bus/usb/001/001"
type=AVC msg=audit(1169585972.925:24): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="hdd" dev=tmpfs ino=3406 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=AVC_PATH msg=audit(1169585972.925:24):  path="/dev/hdd"
type=AVC msg=audit(1169585972.926:25): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="kcore" dev=proc ino=-268435434
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0
tclass=file
type=AVC_PATH msg=audit(1169585972.926:25):  path="/proc/kcore"
type=AVC msg=audit(1169585972.928:26): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="gpmctl" dev=tmpfs ino=6662
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0
tclass=sock_file
type=AVC_PATH msg=audit(1169585972.928:26):  path="/dev/gpmctl"
type=AVC msg=audit(1169585972.928:27): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="initctl" dev=tmpfs ino=953
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:initctl_t:s0
tclass=fifo_file
type=AVC_PATH msg=audit(1169585972.928:27):  path="/dev/initctl"
type=AVC msg=audit(1169585972.928:28): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="event0" dev=tmpfs ino=3384
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.928:28):  path="/dev/input/event0"
type=AVC msg=audit(1169585972.929:29): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="mice" dev=tmpfs ino=2383
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.929:29):  path="/dev/input/mice"
type=AVC msg=audit(1169585972.929:30): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="kmsg" dev=tmpfs ino=1550
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:printk_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.929:30):  path="/dev/kmsg"
type=AVC msg=audit(1169585972.929:31): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="MAKEDEV" dev=dm-0 ino=2742024
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=file
type=AVC_PATH msg=audit(1169585972.929:31):  path="/sbin/MAKEDEV"
type=AVC msg=audit(1169585972.929:32): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="control" dev=tmpfs ino=719
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.929:32):  path="/dev/mapper/control"
type=AVC msg=audit(1169585972.929:33): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="mem" dev=tmpfs ino=1602 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.929:33):  path="/dev/mem"
type=AVC msg=audit(1169585972.930:34): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="tun" dev=tmpfs ino=1201 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.930:34):  path="/dev/net/tun"
type=AVC msg=audit(1169585972.930:35): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="nvram" dev=tmpfs ino=2422
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:nvram_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.930:35):  path="/dev/nvram"
type=AVC msg=audit(1169585972.930:36): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="parport0" dev=tmpfs ino=1192
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.930:36):  path="/dev/parport0"
type=AVC msg=audit(1169585972.930:37): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="ppp" dev=tmpfs ino=1205 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.930:37):  path="/dev/ppp"
type=AVC msg=audit(1169585972.930:38): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="ptmx" dev=tmpfs ino=628 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.930:38):  path="/dev/ptmx"
type=AVC msg=audit(1169585972.931:39): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="random" dev=tmpfs ino=1574
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.931:39):  path="/dev/random"
type=AVC msg=audit(1169585972.931:40): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="rtc" dev=tmpfs ino=629 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.931:40):  path="/dev/rtc"
type=AVC msg=audit(1169585972.931:41): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="sg0" dev=tmpfs ino=4062 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.931:41):  path="/dev/sg0"
type=AVC msg=audit(1169585972.931:42): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="/" dev=tmpfs ino=4829 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC_PATH msg=audit(1169585972.931:42):  path="/dev/shm"
type=AVC msg=audit(1169585972.931:43): avc:  denied  { read } for  pid=2415
comm="clvmd" name="/" dev=tmpfs ino=4829 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1169585972.932:44): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="snapshot" dev=tmpfs ino=2446
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:apm_bios_t:s0
tclass=chr_file
type=AVC_PATH msg=audit(1169585972.932:44):  path="/dev/snapshot"
type=AVC msg=audit(1169585972.932:45): avc:  denied  { ptrace } for  pid=2415
comm="clvmd" scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=process
type=AVC msg=audit(1169585972.933:46): avc:  denied  { getattr } for  pid=2415
comm="clvmd" name="urandom" dev=tmpfs ino=1559
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585972.933:46):  path="/dev/urandom"
type=AVC msg=audit(1169585973.183:47): avc:  denied  { read } for  pid=2415
comm="clvmd" name="hdd" dev=tmpfs ino=3406 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
type=AVC msg=audit(1169585973.253:48): avc:  denied  { read write } for 
pid=2415 comm="clvmd" name="control" dev=tmpfs ino=719
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1169585973.254:49): avc:  denied  { ioctl } for  pid=2415
comm="clvmd" name="control" dev=tmpfs ino=719
scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC_PATH msg=audit(1169585973.254:49):  path="/dev/mapper/control"
Comment 6 Len DiMaggio 2007-01-24 10:27:11 EST
With:
selinux-policy-2.4.6-30.el5
selinux-policy-targeted-2.4.6-30.el5

Now seeing these AVC messages after the cluster nodes reboot:


type=AVC msg=audit(1169652313.674:13): avc:  denied  { getattr } for  pid=2445
comm="clvmd" name="kcore" dev=proc ino=-268435434
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0
tclass=file
type=AVC_PATH msg=audit(1169652313.674:13):  path="/proc/kcore"
type=AVC msg=audit(1169652313.675:14): avc:  denied  { getattr } for  pid=2445
comm="clvmd" name="initctl" dev=tmpfs ino=953
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:initctl_t:s0
tclass=fifo_file
type=AVC_PATH msg=audit(1169652313.675:14):  path="/dev/initctl"
type=AVC msg=audit(1169652313.676:15): avc:  denied  { getattr } for  pid=2445
comm="clvmd" name="MAKEDEV" dev=dm-0 ino=2742024
scontext=system_u:system_r:clvmd_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=file
type=AVC_PATH msg=audit(1169652313.676:15):  path="/sbin/MAKEDEV"
type=AVC msg=audit(1169652313.677:16): avc:  denied  { getattr } for  pid=2445
comm="clvmd" name="/" dev=tmpfs ino=4822 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC_PATH msg=audit(1169652313.677:16):  path="/dev/shm"
type=AVC msg=audit(1169652313.677:17): avc:  denied  { read } for  pid=2445
comm="clvmd" name="/" dev=tmpfs ino=4822 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1169652313.805:18): avc:  denied  { read } for  pid=2445
comm="clvmd" name="hdd" dev=tmpfs ino=3488 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
Comment 7 Daniel Walsh 2007-01-24 10:40:32 EST
Added rules to fix this to selinux-policy-2.4.6-31.el5
Comment 8 Len DiMaggio 2007-01-24 11:11:49 EST
A couple more:

type=AVC msg=audit(1169653773.919:19): avc:  denied  { unlink } for  pid=4582
comm="chkconfig" name="K74ipmi" dev=dm-0 ino=2056329
scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
type=AVC msg=audit(1169653773.919:20): avc:  denied  { create } for  pid=4582
comm="chkconfig" name="K74ipmi" scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file

Comment 9 Len DiMaggio 2007-01-24 11:20:42 EST
And this:

type=AVC msg=audit(1169655513.340:27): avc:  denied  { sys_admin } for  pid=2417
comm="clvmd" capability=21 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=capability
Comment 10 Len DiMaggio 2007-01-24 15:35:01 EST
Additional AVC messages:   


type=AVC msg=audit(1169668712.387:151): avc:  denied  { read } for  pid=19334
comm="pidof" name="exe" dev=proc ino=154337288
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=lnk_file
type=AVC msg=audit(1169668712.387:151): avc:  denied  { ptrace } for  pid=19334
comm="pidof" scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1169668712.388:152): avc:  denied  { search } for  pid=19334
comm="pidof" name="2399" dev=proc ino=157220866
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=dir
type=AVC msg=audit(1169668712.388:152): avc:  denied  { read } for  pid=19334
comm="pidof" name="stat" dev=proc ino=157220877
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=file
type=AVC msg=audit(1169668712.388:153): avc:  denied  { getattr } for  pid=19334
comm="pidof" name="stat" dev=proc ino=157220877
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=file
type=AVC_PATH msg=audit(1169668712.388:153):  path="/proc/2399/stat"
type=AVC msg=audit(1169668712.388:154): avc:  denied  { read } for  pid=19334
comm="pidof" name="exe" dev=proc ino=157220872
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=lnk_file
type=AVC msg=audit(1169668712.388:154): avc:  denied  { ptrace } for  pid=19334
comm="pidof" scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=process
type=AVC msg=audit(1169668712.394:155): avc:  denied  { ptrace } for  pid=19334
comm="pidof" scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1169668712.396:156): avc:  denied  { ptrace } for  pid=19334
comm="pidof" scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:system_r:ricci_modstorage_t:s0 tclass=process
type=AVC msg=audit(1169668712.997:157): avc:  denied  { sys_admin } for 
pid=2427 comm="clvmd" capability=21 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:system_r:clvmd_t:s0 tclass=capability
type=AVC msg=audit(1169668713.034:158): avc:  denied  { search } for  pid=19339
comm="touch" name="lock" dev=dm-0 ino=359073
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1169668713.034:158): avc:  denied  { write } for  pid=19339
comm="touch" name="clvmd" dev=dm-0 ino=359617
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
Comment 11 Len DiMaggio 2007-01-25 21:54:01 EST
Just saw these with: 
selinux-policy-2.4.6-31
selinux-policy-devel-2.4.6-31
selinux-policy-targeted-2.4.6-31

type=AVC msg=audit(1169740819.574:7): avc:  denied  { search } for  pid=2083
comm="lvmconf" name="nscd" dev=dm-0 ino=359391
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1169740819.600:8): avc:  denied  { write } for  pid=2083
comm="lvmconf" name="lvm" dev=dm-0 ino=2056322
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=dir
type=AVC msg=audit(1169740819.600:8): avc:  denied  { add_name } for  pid=2083
comm="lvmconf" name=".lvmconf-script.tmp"
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=dir
type=AVC msg=audit(1169740819.600:8): avc:  denied  { create } for  pid=2083
comm="lvmconf" name=".lvmconf-script.tmp"
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1169740819.602:9): avc:  denied  { write } for  pid=2083
comm="lvmconf" name=".lvmconf-script.tmp" dev=dm-0 ino=2057876
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC_PATH msg=audit(1169740819.602:9):  path="/etc/lvm/.lvmconf-script.tmp"
type=AVC msg=audit(1169740819.621:10): avc:  denied  { remove_name } for 
pid=2091 comm="rm" name=".lvmconf-script.tmp" dev=dm-0 ino=2057876
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=dir
type=AVC msg=audit(1169740819.621:10): avc:  denied  { unlink } for  pid=2091
comm="rm" name=".lvmconf-script.tmp" dev=dm-0 ino=2057876
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file
type=AVC msg=audit(1169740902.076:17): avc:  denied  { add_name } for  pid=2310
comm="aisexec" name="core.2310" scontext=system_u:system_r:ccs_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=AVC msg=audit(1169740902.076:17): avc:  denied  { create } for  pid=2310
comm="aisexec" name="core.2310" scontext=system_u:system_r:ccs_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1169740902.076:17): avc:  denied  { write } for  pid=2310
comm="aisexec" name="core.2310" dev=dm-0 ino=1315044
scontext=system_u:system_r:ccs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1169763958.003:86): avc:  denied  { rmdir } for  pid=30893
comm="lvremove" name="new_vg" dev=tmpfs ino=4749
scontext=root:system_r:lvm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=dir
type=AVC msg=audit(1169764955.610:90): avc:  denied  { rmdir } for  pid=32300
comm="lvremove" name="new_vol_group" dev=tmpfs ino=331676
scontext=root:system_r:lvm_t:s0-s0:c0.c1023 tcontext=root:object_r:device_t:s0
tclass=dir
Comment 12 Len DiMaggio 2007-01-31 09:27:38 EST
Hadn't seen this one before:

type=AVC msg=audit(1170252416.439:12): avc:  denied  { read } for  pid=2402
comm="clvmd" name="hdd" dev=tmpfs ino=3330 scontext=system_u:system_r:clvmd_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file


Note: name="hdd"
Comment 13 Daniel Walsh 2007-02-01 16:32:59 EST
Fixed in selinux-policy-2.4.6-35
Comment 14 Kiersten (Kerri) Anderson 2007-04-23 13:10:55 EDT
Fixing Product Name.  Cluster Suite was merged into Enterprise Linux for version
5.0.
Comment 17 Kiersten (Kerri) Anderson 2007-05-07 14:05:36 EDT
Think this one was fixed in rhel5.0 release.  Jim, please close if that is true.

Note You need to log in before you can comment on or make changes to this bug.