656809 – MLS policy -- avc: denied { write } for ... comm="vgchange" name="ram0" dev=tmpfs ...

Bug 656809 - MLS policy -- avc: denied { write } for ... comm="vgchange" name="ram0" dev=tmpfs ...

Summary: MLS policy -- avc: denied { write } for ... comm="vgchange" name="ram0" dev=t...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.6
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-11-24 07:54 UTC by Milos Malik
Modified:	2012-10-16 08:13 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-2.4.6-295.el5
Doc Type:	Bug Fix
Doc Text:	Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time: /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.
Clone Of:
Environment:
Last Closed:	2011-01-13 21:51:28 UTC
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0026	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-01-12 16:11:15 UTC

Description Milos Malik 2010-11-24 07:54:56 UTC

Description of problem:


Version-Release number of selected component (if applicable):
RHEL5.6-Server-20101119.0
selinux-policy-targeted-2.4.6-293.el5
selinux-policy-2.4.6-293.el5
selinux-policy-mls-2.4.6-293.el5
selinux-policy-devel-2.4.6-293.el5

How reproducible:
always

Steps to Reproduce:
1. install MLS policy on a RHEL-5.6 machine, force filesystem auto-relabel
2. modify /etc/selinux/config so that the machine will start up with MLS policy in permissive mode
3. reboot into single mode
4. log in via console
5. run "ausearch -m avc -ts recent"
  
Actual results:
----
time->Wed Nov 24 02:07:44 2010
type=SYSCALL msg=audit(1290582464.869:285): arch=c0000032 syscall=1028 success=yes exit=5 a0=60000000000354b8 a1=44002 a2=0 a3=0 items=0 ppid=16970 pid=16975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vgchange" exe="/usr/sbin/lvm" subj=system_u:system_r:lvm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1290582464.869:285): avc:  denied  { write } for  pid=16975 comm="vgchange" name="ram0" dev=tmpfs ino=749 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file
----

Expected results:
no AVCs

Comment 1 Milos Malik 2010-11-24 07:59:36 UTC

Following output is shown in console when the machine starts up with MLS policy in enforcing mode:

/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
Setting up Logical Volume Management:   File-based locking initialisation failed.
  No volume groups found

Here is the relevant part of dmesg output:

md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
device-mapper: multipath: version 1.0.5 loaded
type=1400 audit(1290585354.140:4): avc:  denied  { write } for  pid=1159 comm="multipath.stati" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.318:5): avc:  denied  { write } for  pid=1164 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.324:6): avc:  denied  { write } for  pid=1166 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.330:7): avc:  denied  { write } for  pid=1168 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.337:8): avc:  denied  { write } for  pid=1170 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
EXT3 FS on dm-0, internal journal
SELinux: initialized (dev sda1, type vfat), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Adding 18677728k swap on /dev/VolGroup00/LogVol01.  Priority:-1 extents:1 across:18677728k
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts

Comment 2 Miroslav Grepl 2010-11-24 13:11:29 UTC

We have 

dev_rw_lvm_control(initrc_t)

in RHEL6.

Comment 3 Miroslav Grepl 2010-11-24 13:13:38 UTC

Basically it looks like I should backport some changes from RHEL6 to RHEL5 related to MLS policy.

Comment 4 Daniel Walsh 2010-11-24 13:55:32 UTC

Yes.

Comment 5 Miroslav Grepl 2010-11-24 17:04:23 UTC

I have added MLS fixes to selinux-policy-2.4.6-295.el5.noarch policy.

Milos, Karel,
could you also test it. Please make sure services as setroubleshoot, xfs, etc. is not running during your MLS testing. Thanks.

Comment 9 Jaromir Hradilek 2011-01-05 16:28:26 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time:

  /dev/mapper/control: open failed: Permission denied
  Failure to communicate with kernel device-mapper driver.

With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.

Comment 11 errata-xmlrpc 2011-01-13 21:51:28 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.