Bug 246059 - udevd tries to run setfilecon on /dev/mpath/mpath0
udevd tries to run setfilecon on /dev/mpath/mpath0
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-28 04:10 EDT by David Juran
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:09:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Juran 2007-06-28 04:10:25 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.12) Gecko/20070529 Red Hat/1.5.0.12-1.el5 Firefox/1.5.0.12

Description of problem:
When starting multipathd (device-mapper-multipath-0.4.7-11.fc7), the following messages show up in the syslog. 

Jun 28 10:31:56 hat udevd-event[32056]: selinux_setfilecon: setfilecon /dev/mpath/mpath1 failed: Permission denied
Jun 28 10:31:57 hat udevd-event[32068]: selinux_setfilecon: setfilecon /dev/mpath/mpath0 failed: Permission denied
Jun 28 10:31:59 hat setroubleshoot:      SELinux is preventing /sbin/udevd (udev_t) "relabelfrom" to mpath1 (device_t).      For complete SELinux messages. run sealert -l 58864d45-e809-4376-8fbf-8663f311b6df
Jun 28 10:31:59 hat setroubleshoot:      SELinux is preventing /sbin/udevd (udev_t) "relabelfrom" to mpath0 (device_t).      For complete SELinux messages. run sealert -l 9ab5fe8c-f779-44f5-9783-75791cb8c248

But checking the context of the files in /dev/mpath, it already seems to be the corretc one:

[root@hat mpath]# ls -lZ /dev/mpath/mpath0
lrwxrwxrwx  root root system_u:object_r:device_t       /dev/mpath/mpath0 -> ../dm-2

Which makes me think that udev really shouldn't try to run setfilecon...

I'm using selinux-policy-targeted-2.6.4-21.fc7 and the details of the selinux-error:

avc: denied { relabelfrom } for comm="udevd" dev=tmpfs egid=0 euid=0
exe="/sbin/udevd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="mpath1" pid=32056
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=lnk_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0


Version-Release number of selected component (if applicable):
udev-106-4.fc7

How reproducible:
Always


Steps to Reproduce:
1. service multipathd start


Actual Results:


Expected Results:


Additional info:
Comment 1 Harald Hoyer 2007-06-28 05:30:00 EDT
well, udevd should really setfilecon :)
Comment 2 David Juran 2007-06-28 06:11:08 EDT
So switching the component to selinux-policy then (-:
Comment 3 Daniel Walsh 2007-06-28 07:23:24 EDT
Fixed in selinux-policy-2.6.4-24
Comment 4 Daniel Walsh 2007-08-22 10:09:14 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.