Bug 656809 - MLS policy -- avc: denied { write } for ... comm="vgchange" name="ram0" dev=tmpfs ...
Summary: MLS policy -- avc: denied { write } for ... comm="vgchange" name="ram0" dev=t...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.6
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-24 07:54 UTC by Milos Malik
Modified: 2012-10-16 08:13 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-2.4.6-295.el5
Doc Type: Bug Fix
Doc Text:
Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time: /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.
Clone Of:
Environment:
Last Closed: 2011-01-13 21:51:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Milos Malik 2010-11-24 07:54:56 UTC
Description of problem:


Version-Release number of selected component (if applicable):
RHEL5.6-Server-20101119.0
selinux-policy-targeted-2.4.6-293.el5
selinux-policy-2.4.6-293.el5
selinux-policy-mls-2.4.6-293.el5
selinux-policy-devel-2.4.6-293.el5

How reproducible:
always

Steps to Reproduce:
1. install MLS policy on a RHEL-5.6 machine, force filesystem auto-relabel
2. modify /etc/selinux/config so that the machine will start up with MLS policy in permissive mode
3. reboot into single mode
4. log in via console
5. run "ausearch -m avc -ts recent"
  
Actual results:
----
time->Wed Nov 24 02:07:44 2010
type=SYSCALL msg=audit(1290582464.869:285): arch=c0000032 syscall=1028 success=yes exit=5 a0=60000000000354b8 a1=44002 a2=0 a3=0 items=0 ppid=16970 pid=16975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vgchange" exe="/usr/sbin/lvm" subj=system_u:system_r:lvm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1290582464.869:285): avc:  denied  { write } for  pid=16975 comm="vgchange" name="ram0" dev=tmpfs ino=749 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file
----

Expected results:
no AVCs

Comment 1 Milos Malik 2010-11-24 07:59:36 UTC
Following output is shown in console when the machine starts up with MLS policy in enforcing mode:

/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
Setting up Logical Volume Management:   File-based locking initialisation failed.
  No volume groups found

Here is the relevant part of dmesg output:

md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
device-mapper: multipath: version 1.0.5 loaded
type=1400 audit(1290585354.140:4): avc:  denied  { write } for  pid=1159 comm="multipath.stati" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.318:5): avc:  denied  { write } for  pid=1164 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.324:6): avc:  denied  { write } for  pid=1166 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.330:7): avc:  denied  { write } for  pid=1168 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.337:8): avc:  denied  { write } for  pid=1170 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
EXT3 FS on dm-0, internal journal
SELinux: initialized (dev sda1, type vfat), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Adding 18677728k swap on /dev/VolGroup00/LogVol01.  Priority:-1 extents:1 across:18677728k
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts

Comment 2 Miroslav Grepl 2010-11-24 13:11:29 UTC
We have 

dev_rw_lvm_control(initrc_t)

in RHEL6.

Comment 3 Miroslav Grepl 2010-11-24 13:13:38 UTC
Basically it looks like I should backport some changes from RHEL6 to RHEL5 related to MLS policy.

Comment 4 Daniel Walsh 2010-11-24 13:55:32 UTC
Yes.

Comment 5 Miroslav Grepl 2010-11-24 17:04:23 UTC
I have added MLS fixes to selinux-policy-2.4.6-295.el5.noarch policy.

Milos, Karel,
could you also test it. Please make sure services as setroubleshoot, xfs, etc. is not running during your MLS testing. Thanks.

Comment 9 Jaromir Hradilek 2011-01-05 16:28:26 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time:

  /dev/mapper/control: open failed: Permission denied
  Failure to communicate with kernel device-mapper driver.

With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.

Comment 11 errata-xmlrpc 2011-01-13 21:51:28 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.