Bug 237128 - Selinux policy prevents removal of volume groups
Selinux policy prevents removal of volume groups
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2007-04-19 12:18 EDT by Mike Gahagan
Modified: 2007-11-30 17:07 EST (History)
6 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 11:39:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
testcase and logs. (18.43 KB, application/octet-stream)
2007-04-19 12:24 EDT, Mike Gahagan
no flags Details
audit log from the test system that I reproduced the problem with. (114.74 KB, application/x-bzip)
2007-04-19 13:55 EDT, Mike Gahagan
no flags Details

  None (edit)
Description Mike Gahagan 2007-04-19 12:18:31 EDT
Description of problem:
Selinux policy is preventing the lvm tools from removing volume group directory
in /dev. Found while running the testcase from bz204791/bz204796. This causes
all subsequent runs of the testcase to fail. The testcase can complete
sucesfully again if the volume group directory in /dev is removed by hand.

Version-Release number of selected component (if applicable):
[root@test158 ~]# rpm -qa | grep lvm
[root@test158 ~]# rpm -qa | grep selinux
[root@test158 ~]# uname -r

How reproducible:

Steps to Reproduce:
1.run snapshot_test testcase from bz204791 twice, watch as it fails the second
Actual results:

testcase cannot run a second time as the old volume group was not removed

Expected results:

Testcase runs to completion without error multiple times as is the case with
RHEL 4U5. 

Additional info:

See attachments for logs and other information. The test case creates a logical
volume, then a snapshot of the volume and tries to remove them all using a
loopback device as the backing store.
Comment 1 Mike Gahagan 2007-04-19 12:24:45 EDT
Created attachment 153024 [details]
testcase and logs. 

Here are the relevant selinux log messages, the file snapshot_test.out inside
the tarball attachment has complete debug logs of when the test was run as well
as secalert output at the end of the file. 

Apr 19 11:41:31 test158 setroubleshoot:      SELinux is preventing
 (lvm_t) "rmdir" to vgtst (device_t).	   For complete SELinux messages. run
alert -l 9cbed638-b823-49be-9e25-56de94e5d7ee
Apr 19 11:43:13 test158 setroubleshoot:      SELinux is preventing
 (lvm_t) "getattr" to /dev/vgtst/lvtst (device_t).	For complete SELinux
sages. run sealert -l da51fd68-9712-440a-a1a4-9f3e57ad3dd5
Comment 3 Mike Gahagan 2007-04-19 12:29:26 EDT
A variant of the snapshot_test testcase is in RHTS as:

Comment 4 Daniel Walsh 2007-04-19 12:53:14 EDT
I need /var/log/audit/audit.log

Comment 5 RHEL Product and Program Management 2007-04-19 13:12:36 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 6 Daniel Walsh 2007-04-19 13:15:44 EDT
Fixed in selinux-policy-2.4.6-61
Comment 7 Mike Gahagan 2007-04-19 13:55:49 EDT
Created attachment 153040 [details]
audit log from the test system that I reproduced the problem with.
Comment 10 Eduard Benes 2007-08-23 10:35:26 EDT
With the latest policy I was able to run the testcase from bz204791/bz204796 to 
completion without any error. 
Mike, could please you try the new policy available at the link below and reply 
whether the new packages solve your problem. Thank you.

Comment 13 errata-xmlrpc 2007-11-07 11:39:11 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.