Description of problem: Starting openibd service cause several block devices being relabeled. Version-Release number of selected component (if applicable): openib-1.3-2.el5 How reproducible: Always Steps to Reproduce: 1. Install any of the recent RHEL5.2 snapshots, openib package included. 2. ls -Z /dev/[sh]d* 3. /etc/init.d/openibd start 4. ls -Z /dev/[sh]d* Actual results: Before openibd is started: # ls -Z /dev/[hs]d* brw-rw---- root disk system_u:object_r:fixed_disk_device_t /dev/hda brw-r----- root disk system_u:object_r:fixed_disk_device_t /dev/sda brw-r----- root disk system_u:object_r:fixed_disk_device_t /dev/sda1 brw-r----- root disk system_u:object_r:fixed_disk_device_t /dev/sda2 After the service is started: # ls -Z /dev/[hs]d* brw-rw---- root disk system_u:object_r:device_t /dev/hda brw-r----- root disk system_u:object_r:device_t /dev/sda brw-r----- root disk system_u:object_r:device_t /dev/sda1 brw-r----- root disk system_u:object_r:device_t /dev/sda2 This all leads to avc denials everytime any of these devices is being accessed. Additional info: The devices are relabeled after the init.d script calls udevtrigger. I'm not sure whether this is openib or a udev problem. Nonetheless I'm attaching /var/log/messages output produced after I called udevtrigger manually (this one command alone of course caused the mentioned relabel).
Created attachment 301376 [details] /var/log/messages
*** Bug 440290 has been marked as a duplicate of this bug. ***
Any input on why udev is doing this Bill? Or should I just revert to the old initscript method of scanning hwconf for driver entries instead of using udevtrigger?
udevtrigger generates events for the devices in /sys. I'm not sure why that would cause a relabel, though. Does echo '1' (or 'add') to /sys/block/sda/uevent cause the mislabeling as well?
I can't answer your question Bill, evidently none of my machines have selinux enabled and so they all list the device as unlabeled. Milan, can you check this?
(In reply to comment #4) > Does echo '1' (or 'add') to /sys/block/sda/uevent cause the mislabeling as well? Bingo! # ls -Z /dev/sda brw-r----- root disk system_u:object_r:fixed_disk_device_t /dev/sda # echo 1 > /sys/block/sda/uevent # ls -Z /dev/sda brw-r----- root disk system_u:object_r:device_t /dev/sda
Created attachment 301574 [details] /var/log/messages If that helps, here's part of /var/log/messages showing what's happening after # echo 1 > /sys/block/sda/uevent
Apr 8 06:19:46 ivy udevd-event[2820]: udev_node_mknod: preserve file '/dev/sda', because it has correct dev_t though it re-sets the selinux context... selinux_setfilecon(file, udev->dev->kernel_name, stats.st_mode);
on creation: selinux_setfscreatecon: matchpathcon(file, mode, &scontext) setfscreatecon(scontext); mknod(...); in this case: selinux_setfilecon: matchpathcon(file, mode, &scontext) setfilecon(file, scontext); I don't see anything, which would trigger a wrong relabel. Daniel?
At this point, my question is whether or not we have established that this isn't really an openib bug and this needs to be switched to another component and assigned to that person?
If the devices are recreated without going through the udev code path to setfilecon or setfscreatecon they would end up labeled device_t.
(In reply to comment #10) > At this point, my question is whether or not we have established that this isn't > really an openib bug and this needs to be switched to another component and > assigned to that person? None of the openib bits have to be present for this problem to pop up. All you have to do is to run udevtrigger. I'm not sure what's actually causing the problem, but I certainly don't want this bugzilla to be sitting in a wrong component. Is there anything I can help with?
I think this should be moved to udev.
Seems like a problem with udev setting the selinux context again for symlinks.
Created attachment 301766 [details] possible patch
Created attachment 301767 [details] better patch
dwalsh, what context should the symlinks in /dev/disk have? # ls -Z /dev/disk/* /dev/disk/by-id: lrwxrwxrwx root root system_u:object_r:device_t ata-QEMU_HARDDISK_QM00001 -> ../../hda # ls -Z /dev/hda brw-r----- root disk system_u:object_r:fixed_disk_device_t /dev/hda
SELinux is preventing /sbin/udevd (rpm_script_t) "create" to ata-QEMU_HARDDISK_QM00001 (fixed_disk_device_t). seems like we can't set the same context for the symlinks.
Created attachment 301781 [details] final patch - backported from later versions
Symlinks should not be being set, the problem here is the block devices are being mislabeled. Symlinks should be device_t while block devices should be labeled fixed_disk_device_t
I'm confirming that the patch from comment #20 solves the problem (udev built locally, tested on RHEL5.2-Server-20080409.nightly / i386).
Giving Devel ACK as per comment #20 and comment #22. Thanks, Read ya, Phil
Verified with udev-095-14.15.el5 / RHEL5.2-Server-20080422.nightly
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0374.html