Red Hat Bugzilla – Bug 237128
Selinux policy prevents removal of volume groups
Last modified: 2007-11-30 17:07:43 EST
Description of problem:
Selinux policy is preventing the lvm tools from removing volume group directory
in /dev. Found while running the testcase from bz204791/bz204796. This causes
all subsequent runs of the testcase to fail. The testcase can complete
sucesfully again if the volume group directory in /dev is removed by hand.
Version-Release number of selected component (if applicable):
[root@test158 ~]# rpm -qa | grep lvm
[root@test158 ~]# rpm -qa | grep selinux
[root@test158 ~]# uname -r
Steps to Reproduce:
1.run snapshot_test testcase from bz204791 twice, watch as it fails the second
testcase cannot run a second time as the old volume group was not removed
Testcase runs to completion without error multiple times as is the case with
See attachments for logs and other information. The test case creates a logical
volume, then a snapshot of the volume and tries to remove them all using a
loopback device as the backing store.
Created attachment 153024 [details]
testcase and logs.
Here are the relevant selinux log messages, the file snapshot_test.out inside
the tarball attachment has complete debug logs of when the test was run as well
as secalert output at the end of the file.
Apr 19 11:41:31 test158 setroubleshoot: SELinux is preventing
(lvm_t) "rmdir" to vgtst (device_t). For complete SELinux messages. run
alert -l 9cbed638-b823-49be-9e25-56de94e5d7ee
Apr 19 11:43:13 test158 setroubleshoot: SELinux is preventing
(lvm_t) "getattr" to /dev/vgtst/lvtst (device_t). For complete SELinux
sages. run sealert -l da51fd68-9712-440a-a1a4-9f3e57ad3dd5
A variant of the snapshot_test testcase is in RHTS as:
I need /var/log/audit/audit.log
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
Fixed in selinux-policy-2.4.6-61
Created attachment 153040 [details]
audit log from the test system that I reproduced the problem with.
With the latest policy I was able to run the testcase from bz204791/bz204796 to
completion without any error.
Mike, could please you try the new policy available at the link below and reply
whether the new packages solve your problem. Thank you.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.