Bug 240005 - lvconvert does not work in enforcing mode
Summary: lvconvert does not work in enforcing mode
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: device-mapper   
(Show other bugs)
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2007-05-14 10:52 UTC by Thorsten Scherf
Modified: 2010-01-12 02:18 UTC (History)
7 users (show)

Fixed In Version: RHBA-2008-0081
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 16:44:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit_log (5.05 KB, text/plain)
2007-05-14 10:52 UTC, Thorsten Scherf
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0081 normal SHIPPED_LIVE device-mapper bug fix and enhancement update 2008-05-20 18:07:43 UTC

Description Thorsten Scherf 2007-05-14 10:52:42 UTC
Description of problem:
[root@station100 ~]# lvconvert -m1 vg0/spiegel
  Unable to start dmeventd.
  Unable to start dmeventd.
  vg0-spiegel: event registration failed: No such process
  Logical volume spiegel converted.
[root@station100 ~]# 

Version-Release number of selected component (if applicable):

How reproducible:
see above

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Thorsten Scherf 2007-05-14 10:52:42 UTC
Created attachment 154631 [details]

Comment 2 Daniel Walsh 2007-05-14 17:10:49 UTC
What is /var/run/dmeventd-client?

Comment 3 Thorsten Scherf 2007-05-14 18:25:58 UTC
best to ask the lvm guys...

Comment 4 Milan Broz 2007-05-17 08:53:23 UTC
/var/run/dmeventd-client (and dmeventd-server) is named pipe which use dmeventd
to communicate with clients (spec. for misc. mirror conversions and monitoring).
So lvm2 commands (through libdevmapper libraries) communicate with this daemon.

Btw. isn't for selinux policy better to have these files in separate directory ?
Is there any change in device-mapper needed to enable function in enforcing mode ?

Comment 5 Giacomo Montagner 2008-03-11 16:53:07 UTC
I encountered the same problem trying to start monitoring a VG with a mirrored
The command 
vgchange --monitor y vg_mirror 
(which is internally lauched also by /etc/init.d/lvm2-monitor service)
tries to start dmeventd but selinux blocks it while trying to write the pipe
I tried to create the needed pipes by hand: 

[root@bootsrv ~]# ls -laZ /var/run/dme*
prw-------  root root root:object_r:lvm_var_run_t      /var/run/dmeventd-client
-rw-------  root root root:object_r:lvm_var_run_t      /var/run/dmeventd.pid
prw-------  root root root:object_r:lvm_var_run_t      /var/run/dmeventd-server

and assigned that context after some trials and tests reading selinux messages
through sealert (as suggested in /var/log/messages).

The command still fails: 

[root@bootsrv ~]# vgchange --monitor y vg_mirror
Child exited with code 6
  Unable to start dmeventd.
Child exited with code 6
  Unable to start dmeventd.
  vg_mirror-mirrored_lv: event registration failed: No such process
  vg_mirror/mirrored_lv: mirror segment monitoring function failed.
  4 logical volume(s) in volume group "vg_mirror" monitored

now the problem is slightly different (from /var/log/messages): 
dmeventd[4252]: Unable to set correct file permissions on /var/run/dmeventd-client
SELinux is preventing /usr/sbin/lvm (lvm_t) "getattr" to
/var/run/dmeventd-client (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "getattr" to
/var/run/dmeventd-client (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "getattr" to
/var/run/dmeventd-server (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "setattr" to dmeventd-client
SELinux is preventing /usr/sbin/lvm (lvm_t) "getattr" to
/var/run/dmeventd-client (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "getattr" to
/var/run/dmeventd-client (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "getattr" to
/var/run/dmeventd-server (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "setattr" to dmeventd-client

Maybe I set the wrong context for the pipes? 

I also tried to use audit2allow to create a local policy but I had no luck: 

[root@bootsrv ~]# cat /var/log/audit/audit.log | audit2allow > /tmp/local.te
[root@bootsrv ~]# cat /tmp/local.te

#============= lvm_t ==============
allow lvm_t lvm_var_run_t:fifo_file { getattr setattr };
[root@bootsrv ~]# checkmodule -M -m -o /tmp/local.mod /tmp/local.te
checkmodule:  loading policy configuration from /tmp/local.te
(unknown source)::ERROR 'syntax error' at token 'allow' on line 4:
allow lvm_t lvm_var_run_t:fifo_file { getattr setattr };

Any clue? 

Comment 6 Daniel Walsh 2008-03-11 23:11:40 UTC
cat /var/log/audit/audit.log | audit2allow -M mylvm
semodule -i mylvm.pp

will create and load a policy module.

Fixed in selinux-policy-2.4.6-126.el5	

Although I am not sure this will make U2

Comment 7 Giacomo Montagner 2008-03-12 10:11:11 UTC
I eventually succeded in starting dmeventd, this is the policy applied: 

#============= lvm_t ==============
allow lvm_t lvm_var_run_t:fifo_file { write read getattr setattr lock };

Please note that type lvm_var_run_t is the type I set by hand on the pipes, I
don't know wether it's the right one. 

checkmodule keeps complaining about 'syntax error', but it worked using 
audit2allow -M followed by semodule -i, as you suggested. 

Thanks a lot. 

Comment 8 Daniel Walsh 2008-03-12 11:03:53 UTC

Those changes are all in selinux-policy-2.4.6-126.el5	

Comment 16 errata-xmlrpc 2008-05-21 16:44:14 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.