From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061712 Fedora/3.0-1.fc9 Firefox/3.0 Description of problem: In the Conga web interface, clicking on the storage tab and then selecting an invidual node produces the error "An error has occurred while probing storage: Host responded: clvmd failed to start". This happens whether clvmd is running or stopped. AVC denials are printed to /var/log/audit/audit.log when this happens: type=AVC msg=audit(1216231268.723:40): avc: denied { execute } for pid=2832 comm="ricci-modstorag" name="bash" dev=dm-0 ino=356974 scontext=system_u:system_r:ricci_modstorage_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file Turning on setroubleshootd and grabbing the details with sealert provides the specifics that I've attached. Setting SELinux to permissive works around the problem Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1) Set selinux enforcing 2) Open Conga interface, adding storage nodes if needed 3) Click storage tab at top 4) In the "Storage" navigation menu, select a node that has SELinux enforcing Actual Results: Error message stating: "An error has occurred while probing storage: Host responded: clvmd failed to start". Clicking OK takes you back to the previous page Expected Results: Conga should be able to probe storage successfully with SELinux enforcing. Additional info:
Created attachment 312070 [details] selinux module for conga
An attempt to create a module based on denials failed as well: I started with a fresh system and still could not get it working. Procedure: -Cause the Conga failure by clicking on a node in the storage tab -Create a new policy: # grep AVC /var/log/audit/audit.log | audit2allow myricci -Unload the old myricci (if loaded) and load the new one After each trial there would be new denials so I would repeat the process which eventually lead me to the attached myricci2.te. Everytime I would compare the old .te to the new one and eventually there were no differences showing up, meaning there weren't any new denials. I also tried # semodule -b /usr/share/selinux/targeted/enableaudit.pp per dwalsh's recommendations but no new denials were printed. I am also attaching the audit.log from this test showing all the denials that occurred. John
Fixed in selinux-policy-2.4.6-142
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
selinux-policy-2.4.6-142 is now available for preview testing at http://people.redhat.com/dwalsh/SELinux/RHEL5/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html