Bug 455784 - AVC denies Conga from using storage in permissive mode
AVC denies Conga from using storage in permissive mode
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2008-07-17 14:29 EDT by Shane Bradley
Modified: 2010-10-22 22:55 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 16:30:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
selinux module for conga (1.04 KB, application/octet-stream)
2008-07-17 14:33 EDT, Shane Bradley
no flags Details

  None (edit)
Description Shane Bradley 2008-07-17 14:29:40 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061712 Fedora/3.0-1.fc9 Firefox/3.0

Description of problem:
In the Conga web interface, clicking on the storage tab and then selecting an invidual node produces the error "An error has occurred while probing storage: Host responded: clvmd failed to start". This happens whether clvmd is running or stopped.  AVC denials are printed to /var/log/audit/audit.log when this happens:

   type=AVC msg=audit(1216231268.723:40): avc:  denied  { execute } for  pid=2832 comm="ricci-modstorag" name="bash" dev=dm-0 ino=356974 scontext=system_u:system_r:ricci_modstorage_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Turning on setroubleshootd and grabbing the details with sealert provides the specifics that I've attached.  Setting SELinux to permissive works around the problem

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1) Set selinux enforcing
2) Open Conga interface, adding storage nodes if needed
3) Click storage tab at top
4) In the "Storage" navigation menu, select a node that has SELinux enforcing

Actual Results:
Error message stating: "An error has occurred while probing storage: Host responded: clvmd failed to start".  Clicking OK takes you back to the previous page

Expected Results:
Conga should be able to probe storage successfully with SELinux enforcing.

Additional info:
Comment 1 Shane Bradley 2008-07-17 14:33:27 EDT
Created attachment 312070 [details]
selinux module for conga
Comment 2 Shane Bradley 2008-07-17 14:34:04 EDT
An attempt to create a module based on denials failed as well:
I started with a fresh system and still could not get it working.  Procedure:

-Cause the Conga failure by clicking on a node in the storage tab
-Create a new policy:

  # grep AVC /var/log/audit/audit.log | audit2allow myricci
-Unload the old myricci (if loaded) and load the new one  

After each trial there would be new denials so I would repeat the process which
eventually lead me to the attached myricci2.te.  Everytime I would compare the
old .te to the new one and eventually there were no differences showing up,
meaning there weren't any new denials.  I also tried

   # semodule -b /usr/share/selinux/targeted/enableaudit.pp

per dwalsh's recommendations but no new denials were printed.  

I am also attaching the audit.log from this test showing all the denials that

Comment 3 Daniel Walsh 2008-07-17 14:38:42 EDT
Fixed in selinux-policy-2.4.6-142
Comment 4 RHEL Product and Program Management 2008-07-17 14:41:30 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 9 Daniel Walsh 2008-07-24 10:05:12 EDT
selinux-policy-2.4.6-142 is now available for preview testing at

Comment 15 errata-xmlrpc 2009-01-20 16:30:18 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.