Bug 436688 - update 0.4.7-12.el5_1.2 has selinux rules issues for service multipathd
update 0.4.7-12.el5_1.2 has selinux rules issues for service multipathd
Status: CLOSED DUPLICATE of bug 433289
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: device-mapper-multipath (Show other bugs)
i386 Linux
low Severity high
: rc
: ---
Assigned To: LVM and device-mapper development team
Corey Marthaler
Depends On:
  Show dependency treegraph
Reported: 2008-03-09 07:24 EDT by Neil Prockter
Modified: 2010-01-11 21:41 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-11 12:30:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Neil Prockter 2008-03-09 07:24:41 EDT
Description of problem:
after updating to 0.4.7-12.el5_1.2 service multipathd does not start

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. taking a working out the box 5.1 system with multipath setup
2. update to 0.4.7-12.el5_1.2
3. service multipathd restart
4. use service multipathd status  
Actual results:
multipathd dead but pid file exists

Expected results:
multipathd (pid 14491) is running...

Additional info:
audit.log shows avc denials try to use files under /var/cache

all of the following avoid the issue
 reverting to 0.4.7-12.el5
 running multipathd on its own (not through init script daemon function)
 turning off selinux
 applying the following policy

module multipathd 1.0;

require {
        type bin_t;
        type lvm_metadata_t;
        type lvm_t;
        type ramfs_t;
        type sbin_t;
        type tmp_t;
        type var_t;
        class dir { add_name create mounton search write };
        class filesystem { mount unmount };
        class file { create execute execute_no_trans read write };

#============= lvm_t ==============
allow lvm_t bin_t:dir mounton;
allow lvm_t lvm_metadata_t:dir mounton;
allow lvm_t ramfs_t:filesystem { mount unmount };
allow lvm_t ramfs_t:dir { add_name search write };
allow lvm_t ramfs_t:file { create execute execute_no_trans read write };
allow lvm_t sbin_t:dir mounton;
allow lvm_t tmp_t:dir mounton;
allow lvm_t var_t:dir { create write add_name mounton };
Comment 1 Neil Prockter 2008-03-09 07:36:44 EDT
seems to be related to 428338_private_namespace.patch 
Comment 2 Neil Prockter 2008-03-11 06:54:46 EDT
can someone please up the priority on this.

users who update to this package rick losing data and/or access to data should a
path go away. 
Comment 3 Ben Marzinski 2008-03-11 12:30:57 EDT
There is already a bugzilla for this.  431689 is the bug number for the regular
bug, and 433289 is the number for the zstream fix.  Until the zstream for this
is released, you can download an updated selinux-policy package for this issue at

*** This bug has been marked as a duplicate of 433289 ***

Note You need to log in before you can comment on or make changes to this bug.