Bug 473168 - SELinux policy preventing the mount of GFS2 while making lv via luci
SELinux policy preventing the mount of GFS2 while making lv via luci
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.2
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On: 435945
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-26 16:39 EST by Steve Reichard
Modified: 2009-02-07 06:52 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-07 06:52:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVCs (20.48 KB, text/plain)
2008-12-01 21:51 EST, Steve Reichard
no flags Details

  None (edit)
Description Steve Reichard 2008-11-26 16:39:56 EST
Description of problem:

Attempting to use luci to create a new logical volume with a GFS2 files system, mounting the file system, and adding an entry to /etc/fstab, the lv was made and the FS was created, however the mount failed and no entry was put in /etc/fstab.

Issuing the mount command on the comand line was successful.

SELinux denails were noted.  

audit2alert was used to generate a policy which was loaded.   

This cycle was repeated several more times.   (after setenforce 0, the result was as exepected)


Version-Release number of selected component (if applicable):
[root@degas ~]# uname -a
Linux degas.lab.bos.redhat.com 2.6.18-92.1.13.el5xen #1 SMP Thu Sep 4 04:07:08 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
[root@degas ~]# 

the RHN beta policies were put in place for help with previously seen AVCs.

[root@degas ~]# rpmq selinux-policy
selinux-policy-targeted-2.4.6.170.el5 noarch
selinux-policy-2.4.6.170.el5 noarch
[root@degas ~]#

How reproducible:

Was easily reproducible, however, luci hangs/slowness has made it harder to reproduce.

Steps to Reproduce:
1. use luci to create a CLVM LV with a GFS2 that is mounted with an /etc/entry
2.
3.
  
Actual results:

LV was made, GFS2 was created,  errors (various) were reported, AVC denials were logged.

Expected results:

LV was made, GFS2 was created, fs is mounted, entry is placed in /etc/fstab, no errors



Additional info:


Here is 3 sets of module that were created:


module host 1.0;



require {

	type ricci_modstorage_t;

	type mount_exec_t;

	type consoletype_exec_t;

	type var_lib_t;

	class dir search;

	class file { execute getattr };

}



#============= ricci_modstorage_t ==============

allow ricci_modstorage_t consoletype_exec_t:file { execute getattr };

allow ricci_modstorage_t mount_exec_t:file execute;

allow ricci_modstorage_t var_lib_t:dir search;



module host2 1.0;



require {

	type ricci_modstorage_t;

	type consoletype_exec_t;

	class file { read execute_no_trans };

}



#============= ricci_modstorage_t ==============

allow ricci_modstorage_t consoletype_exec_t:file { read execute_no_trans };


module host3 1.0;



require {

	type debugfs_t;

	type ricci_modstorage_t;

	type fs_t;

	type file_t;

	type default_t;

	type mount_exec_t;

	type initrc_t;

	type etc_runtime_t;

	class capability { setuid setgid };

	class unix_stream_socket connectto;

	class file { write read execute_no_trans append };

	class dir { search getattr mounton };

	class filesystem mount;

}



#============= ricci_modstorage_t ==============

allow ricci_modstorage_t debugfs_t:dir search;

allow ricci_modstorage_t default_t:dir { getattr mounton };

allow ricci_modstorage_t etc_runtime_t:dir search;

allow ricci_modstorage_t etc_runtime_t:file { write append };

allow ricci_modstorage_t file_t:dir getattr;

allow ricci_modstorage_t fs_t:filesystem mount;

allow ricci_modstorage_t initrc_t:unix_stream_socket connectto;

allow ricci_modstorage_t mount_exec_t:file { read execute_no_trans };

allow ricci_modstorage_t self:capability { setuid setgid };
Comment 1 Steve Reichard 2008-11-26 16:48:34 EST
Attempting with the first loadable policies, the /etc/fstab entry was added but the Fs was not mounted.  The policy generated from the AVC is below,  will try again.

module host4 1.0;

require {
	type ricci_modstorage_t;
	class capability sys_admin;
}

#============= ricci_modstorage_t ==============
allow ricci_modstorage_t self:capability sys_admin;
Comment 2 Steve Whitehouse 2008-11-27 06:35:56 EST
Sorry, wrong one. This is the one I meant to add.
Comment 3 Daniel Walsh 2008-12-01 13:59:06 EST
Please attach the AVC messages, I believe most of these access is just needed to transition to the mount command

consoletype_exec(ricci_modstorage_t)
mount_domtrans(ricci_modstorage_t)

Is what I am adding.

selinux-policy-2.4.6-195.el5
Comment 4 Steve Reichard 2008-12-01 21:51:48 EST
Created attachment 325327 [details]
AVCs
Comment 5 Steve Reichard 2008-12-01 21:52:34 EST
AVCs added as an attachement
Comment 6 Daniel Walsh 2008-12-02 11:16:31 EST
Try out selinux-policy-2.4.6-197.el5

Note You need to log in before you can comment on or make changes to this bug.