Bug 436688 - update 0.4.7-12.el5_1.2 has selinux rules issues for service multipathd
Summary: update 0.4.7-12.el5_1.2 has selinux rules issues for service multipathd
Keywords:
Status: CLOSED DUPLICATE of bug 433289
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: device-mapper-multipath
Version: 5.1
Hardware: i386
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: LVM and device-mapper development team
QA Contact: Corey Marthaler
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-09 11:24 UTC by Neil Prockter
Modified: 2010-01-12 02:41 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-11 16:30:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Neil Prockter 2008-03-09 11:24:41 UTC
Description of problem:
after updating to 0.4.7-12.el5_1.2 service multipathd does not start

Version-Release number of selected component (if applicable):
0.4.7-12.el5_1.2

How reproducible:
everytime

Steps to Reproduce:
1. taking a working out the box 5.1 system with multipath setup
2. update to 0.4.7-12.el5_1.2
3. service multipathd restart
4. use service multipathd status  
Actual results:
multipathd dead but pid file exists


Expected results:
multipathd (pid 14491) is running...


Additional info:
audit.log shows avc denials try to use files under /var/cache

all of the following avoid the issue
 reverting to 0.4.7-12.el5
 running multipathd on its own (not through init script daemon function)
 turning off selinux
 applying the following policy


module multipathd 1.0;

require {
        type bin_t;
        type lvm_metadata_t;
        type lvm_t;
        type ramfs_t;
        type sbin_t;
        type tmp_t;
        type var_t;
        class dir { add_name create mounton search write };
        class filesystem { mount unmount };
        class file { create execute execute_no_trans read write };
}

#============= lvm_t ==============
allow lvm_t bin_t:dir mounton;
allow lvm_t lvm_metadata_t:dir mounton;
allow lvm_t ramfs_t:filesystem { mount unmount };
allow lvm_t ramfs_t:dir { add_name search write };
allow lvm_t ramfs_t:file { create execute execute_no_trans read write };
allow lvm_t sbin_t:dir mounton;
allow lvm_t tmp_t:dir mounton;
allow lvm_t var_t:dir { create write add_name mounton };

Comment 1 Neil Prockter 2008-03-09 11:36:44 UTC
seems to be related to 428338_private_namespace.patch 

Comment 2 Neil Prockter 2008-03-11 10:54:46 UTC
can someone please up the priority on this.

users who update to this package rick losing data and/or access to data should a
path go away. 

Comment 3 Ben Marzinski 2008-03-11 16:30:57 UTC
There is already a bugzilla for this.  431689 is the bug number for the regular
bug, and 433289 is the number for the zstream fix.  Until the zstream for this
is released, you can download an updated selinux-policy package for this issue at
http://people.redhat.com/dwalsh/SELinux/RHEL5/

*** This bug has been marked as a duplicate of 433289 ***


Note You need to log in before you can comment on or make changes to this bug.