656809 – MLS policy -- avc: denied { write } for ... comm="vgchange" name="ram0" dev=tmpfs ...

Bug 656809 - MLS policy -- avc: denied { write } for ... comm="vgchange" name="ram0" dev=tmpfs ...

Summary: MLS policy -- avc: denied { write } for ... comm="vgchange" name="ram0" dev=t...

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.6
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-11-24 07:54 UTC by Milos Malik
Modified:	2012-10-16 08:13 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit) Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time: /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors. Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time: /dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver. With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.
Clone Of:
Environment:	(edit)
Last Closed:	2011-01-13 21:51:28 UTC
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0026	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-01-12 16:11:15 UTC

Description Milos Malik 2010-11-24 07:54:56 UTC

Description of problem:


Version-Release number of selected component (if applicable):
RHEL5.6-Server-20101119.0
selinux-policy-targeted-2.4.6-293.el5
selinux-policy-2.4.6-293.el5
selinux-policy-mls-2.4.6-293.el5
selinux-policy-devel-2.4.6-293.el5

How reproducible:
always

Steps to Reproduce:
1. install MLS policy on a RHEL-5.6 machine, force filesystem auto-relabel
2. modify /etc/selinux/config so that the machine will start up with MLS policy in permissive mode
3. reboot into single mode
4. log in via console
5. run "ausearch -m avc -ts recent"
  
Actual results:
----
time->Wed Nov 24 02:07:44 2010
type=SYSCALL msg=audit(1290582464.869:285): arch=c0000032 syscall=1028 success=yes exit=5 a0=60000000000354b8 a1=44002 a2=0 a3=0 items=0 ppid=16970 pid=16975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vgchange" exe="/usr/sbin/lvm" subj=system_u:system_r:lvm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1290582464.869:285): avc:  denied  { write } for  pid=16975 comm="vgchange" name="ram0" dev=tmpfs ino=749 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file
----

Expected results:
no AVCs

Comment 1 Milos Malik 2010-11-24 07:59:36 UTC

Following output is shown in console when the machine starts up with MLS policy in enforcing mode:

/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
device mapper prerequisites not met
Setting up Logical Volume Management:   File-based locking initialisation failed.
  No volume groups found

Here is the relevant part of dmesg output:

md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
device-mapper: multipath: version 1.0.5 loaded
type=1400 audit(1290585354.140:4): avc:  denied  { write } for  pid=1159 comm="multipath.stati" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.318:5): avc:  denied  { write } for  pid=1164 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.324:6): avc:  denied  { write } for  pid=1166 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.330:7): avc:  denied  { write } for  pid=1168 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1290585354.337:8): avc:  denied  { write } for  pid=1170 comm="kpartx" name="control" dev=tmpfs ino=1068 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
EXT3 FS on dm-0, internal journal
SELinux: initialized (dev sda1, type vfat), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Adding 18677728k swap on /dev/VolGroup00/LogVol01.  Priority:-1 extents:1 across:18677728k
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts

Comment 2 Miroslav Grepl 2010-11-24 13:11:29 UTC

We have 

dev_rw_lvm_control(initrc_t)

in RHEL6.

Comment 3 Miroslav Grepl 2010-11-24 13:13:38 UTC

Basically it looks like I should backport some changes from RHEL6 to RHEL5 related to MLS policy.

Comment 4 Daniel Walsh 2010-11-24 13:55:32 UTC

Yes.

Comment 5 Miroslav Grepl 2010-11-24 17:04:23 UTC

I have added MLS fixes to selinux-policy-2.4.6-295.el5.noarch policy.

Milos, Karel,
could you also test it. Please make sure services as setroubleshoot, xfs, etc. is not running during your MLS testing. Thanks.

Comment 9 Jaromir Hradilek 2011-01-05 16:28:26 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time:

  /dev/mapper/control: open failed: Permission denied
  Failure to communicate with kernel device-mapper driver.

With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.

Comment 11 errata-xmlrpc 2011-01-13 21:51:28 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.