Description of problem: Attempting to use luci to create a new logical volume with a GFS2 files system, mounting the file system, and adding an entry to /etc/fstab, the lv was made and the FS was created, however the mount failed and no entry was put in /etc/fstab. Issuing the mount command on the comand line was successful. SELinux denails were noted. audit2alert was used to generate a policy which was loaded. This cycle was repeated several more times. (after setenforce 0, the result was as exepected) Version-Release number of selected component (if applicable): [root@degas ~]# uname -a Linux degas.lab.bos.redhat.com 2.6.18-92.1.13.el5xen #1 SMP Thu Sep 4 04:07:08 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux [root@degas ~]# the RHN beta policies were put in place for help with previously seen AVCs. [root@degas ~]# rpmq selinux-policy selinux-policy-targeted-2.4.6.170.el5 noarch selinux-policy-2.4.6.170.el5 noarch [root@degas ~]# How reproducible: Was easily reproducible, however, luci hangs/slowness has made it harder to reproduce. Steps to Reproduce: 1. use luci to create a CLVM LV with a GFS2 that is mounted with an /etc/entry 2. 3. Actual results: LV was made, GFS2 was created, errors (various) were reported, AVC denials were logged. Expected results: LV was made, GFS2 was created, fs is mounted, entry is placed in /etc/fstab, no errors Additional info: Here is 3 sets of module that were created: module host 1.0; require { type ricci_modstorage_t; type mount_exec_t; type consoletype_exec_t; type var_lib_t; class dir search; class file { execute getattr }; } #============= ricci_modstorage_t ============== allow ricci_modstorage_t consoletype_exec_t:file { execute getattr }; allow ricci_modstorage_t mount_exec_t:file execute; allow ricci_modstorage_t var_lib_t:dir search; module host2 1.0; require { type ricci_modstorage_t; type consoletype_exec_t; class file { read execute_no_trans }; } #============= ricci_modstorage_t ============== allow ricci_modstorage_t consoletype_exec_t:file { read execute_no_trans }; module host3 1.0; require { type debugfs_t; type ricci_modstorage_t; type fs_t; type file_t; type default_t; type mount_exec_t; type initrc_t; type etc_runtime_t; class capability { setuid setgid }; class unix_stream_socket connectto; class file { write read execute_no_trans append }; class dir { search getattr mounton }; class filesystem mount; } #============= ricci_modstorage_t ============== allow ricci_modstorage_t debugfs_t:dir search; allow ricci_modstorage_t default_t:dir { getattr mounton }; allow ricci_modstorage_t etc_runtime_t:dir search; allow ricci_modstorage_t etc_runtime_t:file { write append }; allow ricci_modstorage_t file_t:dir getattr; allow ricci_modstorage_t fs_t:filesystem mount; allow ricci_modstorage_t initrc_t:unix_stream_socket connectto; allow ricci_modstorage_t mount_exec_t:file { read execute_no_trans }; allow ricci_modstorage_t self:capability { setuid setgid };
Attempting with the first loadable policies, the /etc/fstab entry was added but the Fs was not mounted. The policy generated from the AVC is below, will try again. module host4 1.0; require { type ricci_modstorage_t; class capability sys_admin; } #============= ricci_modstorage_t ============== allow ricci_modstorage_t self:capability sys_admin;
Sorry, wrong one. This is the one I meant to add.
Please attach the AVC messages, I believe most of these access is just needed to transition to the mount command consoletype_exec(ricci_modstorage_t) mount_domtrans(ricci_modstorage_t) Is what I am adding. selinux-policy-2.4.6-195.el5
Created attachment 325327 [details] AVCs
AVCs added as an attachement
Try out selinux-policy-2.4.6-197.el5