Description of problem: Version-Release number of selected component (if applicable): RHEL5.6-Server-20101119.0 selinux-policy-targeted-2.4.6-293.el5 selinux-policy-2.4.6-293.el5 selinux-policy-mls-2.4.6-293.el5 selinux-policy-devel-2.4.6-293.el5 How reproducible: always Steps to Reproduce: 1. install MLS policy on a RHEL-5.6 machine, force filesystem auto-relabel 2. modify /etc/selinux/config so that the machine will start up with MLS policy in permissive mode 3. reboot into single mode 4. log in via console 5. run "ausearch -m avc -ts recent" Actual results: ---- time->Wed Nov 24 02:07:44 2010 type=SYSCALL msg=audit(1290582464.869:285): arch=c0000032 syscall=1028 success=yes exit=5 a0=60000000000354b8 a1=44002 a2=0 a3=0 items=0 ppid=16970 pid=16975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vgchange" exe="/usr/sbin/lvm" subj=system_u:system_r:lvm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1290582464.869:285): avc: denied { write } for pid=16975 comm="vgchange" name="ram0" dev=tmpfs ino=749 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file ---- Expected results: no AVCs
Following output is shown in console when the machine starts up with MLS policy in enforcing mode: /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. device mapper prerequisites not met /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. device mapper prerequisites not met /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. device mapper prerequisites not met /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. device mapper prerequisites not met Setting up Logical Volume Management: File-based locking initialisation failed. No volume groups found Here is the relevant part of dmesg output: md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. device-mapper: multipath: version 1.0.5 loaded type=1400 audit(1290585354.140:4): avc: denied { write } for pid=1159 comm="multipath.stati" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1290585354.318:5): avc: denied { write } for pid=1164 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1290585354.324:6): avc: denied { write } for pid=1166 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1290585354.330:7): avc: denied { write } for pid=1168 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1290585354.337:8): avc: denied { write } for pid=1170 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file EXT3 FS on dm-0, internal journal SELinux: initialized (dev sda1, type vfat), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Adding 18677728k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1 across:18677728k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
We have dev_rw_lvm_control(initrc_t) in RHEL6.
Basically it looks like I should backport some changes from RHEL6 to RHEL5 related to MLS policy.
Yes.
I have added MLS fixes to selinux-policy-2.4.6-295.el5.noarch policy. Milos, Karel, could you also test it. Please make sure services as setroubleshoot, xfs, etc. is not running during your MLS testing. Thanks.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time: /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html