Bug 240005 - lvconvert does not work in enforcing mode
lvconvert does not work in enforcing mode
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: device-mapper (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-14 06:52 EDT by Thorsten Scherf
Modified: 2010-01-11 21:18 EST (History)
7 users (show)

See Also:
Fixed In Version: RHBA-2008-0081
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:44:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit_log (5.05 KB, text/plain)
2007-05-14 06:52 EDT, Thorsten Scherf
no flags Details

  None (edit)
Description Thorsten Scherf 2007-05-14 06:52:42 EDT
Description of problem:
[root@station100 ~]# lvconvert -m1 vg0/spiegel
  Unable to start dmeventd.
  Unable to start dmeventd.
  vg0-spiegel: event registration failed: No such process
  Logical volume spiegel converted.
[root@station100 ~]# 


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-30.el5


How reproducible:
see above

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Thorsten Scherf 2007-05-14 06:52:42 EDT
Created attachment 154631 [details]
audit_log
Comment 2 Daniel Walsh 2007-05-14 13:10:49 EDT
What is /var/run/dmeventd-client?
Comment 3 Thorsten Scherf 2007-05-14 14:25:58 EDT
best to ask the lvm guys...
Comment 4 Milan Broz 2007-05-17 04:53:23 EDT
/var/run/dmeventd-client (and dmeventd-server) is named pipe which use dmeventd
to communicate with clients (spec. for misc. mirror conversions and monitoring).
So lvm2 commands (through libdevmapper libraries) communicate with this daemon.

Btw. isn't for selinux policy better to have these files in separate directory ?
Is there any change in device-mapper needed to enable function in enforcing mode ?
Comment 5 Giacomo Montagner 2008-03-11 12:53:07 EDT
Hi, 
I encountered the same problem trying to start monitoring a VG with a mirrored
volume. 
The command 
vgchange --monitor y vg_mirror 
(which is internally lauched also by /etc/init.d/lvm2-monitor service)
tries to start dmeventd but selinux blocks it while trying to write the pipe
/var/run/dmeventd-client.
I tried to create the needed pipes by hand: 

[root@bootsrv ~]# ls -laZ /var/run/dme*
prw-------  root root root:object_r:lvm_var_run_t      /var/run/dmeventd-client
-rw-------  root root root:object_r:lvm_var_run_t      /var/run/dmeventd.pid
prw-------  root root root:object_r:lvm_var_run_t      /var/run/dmeventd-server

and assigned that context after some trials and tests reading selinux messages
through sealert (as suggested in /var/log/messages).

The command still fails: 

[root@bootsrv ~]# vgchange --monitor y vg_mirror
Child exited with code 6
  Unable to start dmeventd.
Child exited with code 6
  Unable to start dmeventd.
  vg_mirror-mirrored_lv: event registration failed: No such process
  vg_mirror/mirrored_lv: mirror segment monitoring function failed.
  4 logical volume(s) in volume group "vg_mirror" monitored

now the problem is slightly different (from /var/log/messages): 
dmeventd[4252]: Unable to set correct file permissions on /var/run/dmeventd-client
SELinux is preventing /usr/sbin/lvm (lvm_t) "getattr" to
/var/run/dmeventd-client (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "getattr" to
/var/run/dmeventd-client (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "getattr" to
/var/run/dmeventd-server (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "setattr" to dmeventd-client
(lvm_var_run_t).
SELinux is preventing /usr/sbin/lvm (lvm_t) "getattr" to
/var/run/dmeventd-client (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "getattr" to
/var/run/dmeventd-client (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "getattr" to
/var/run/dmeventd-server (lvm_var_run_t).
SELinux is preventing /sbin/dmeventd (lvm_t) "setattr" to dmeventd-client
(lvm_var_run_t).

Maybe I set the wrong context for the pipes? 

I also tried to use audit2allow to create a local policy but I had no luck: 

[root@bootsrv ~]# cat /var/log/audit/audit.log | audit2allow > /tmp/local.te
[root@bootsrv ~]# cat /tmp/local.te


#============= lvm_t ==============
allow lvm_t lvm_var_run_t:fifo_file { getattr setattr };
[root@bootsrv ~]# checkmodule -M -m -o /tmp/local.mod /tmp/local.te
checkmodule:  loading policy configuration from /tmp/local.te
(unknown source)::ERROR 'syntax error' at token 'allow' on line 4:
allow lvm_t lvm_var_run_t:fifo_file { getattr setattr };

Any clue? 
Thanks. 
Comment 6 Daniel Walsh 2008-03-11 19:11:40 EDT
cat /var/log/audit/audit.log | audit2allow -M mylvm
semodule -i mylvm.pp

will create and load a policy module.

Fixed in selinux-policy-2.4.6-126.el5	

Although I am not sure this will make U2
Comment 7 Giacomo Montagner 2008-03-12 06:11:11 EDT
Hi, 
I eventually succeded in starting dmeventd, this is the policy applied: 

#============= lvm_t ==============
allow lvm_t lvm_var_run_t:fifo_file { write read getattr setattr lock };

Please note that type lvm_var_run_t is the type I set by hand on the pipes, I
don't know wether it's the right one. 

checkmodule keeps complaining about 'syntax error', but it worked using 
audit2allow -M followed by semodule -i, as you suggested. 

Thanks a lot. 
Bye
Comment 8 Daniel Walsh 2008-03-12 07:03:53 EDT
Good.

Those changes are all in selinux-policy-2.4.6-126.el5	
Comment 16 errata-xmlrpc 2008-05-21 12:44:14 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0081.html

Note You need to log in before you can comment on or make changes to this bug.