680388 – MLS in single-user mode: /var/lock/lvm: setfscreatecon failed: Permission denied

Bug 680388 - MLS in single-user mode: /var/lock/lvm: setfscreatecon failed: Permission denied

Summary: MLS in single-user mode: /var/lock/lvm: setfscreatecon failed: Permission denied

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	689736
TreeView+	depends on / blocked

Reported:	2011-02-25 12:15 UTC by Milos Malik
Modified:	2012-10-16 08:13 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.7.19-74.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	689736 (view as bug list)
Environment:
Last Closed:	2011-05-19 11:57:49 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0526	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-05-19 09:37:41 UTC

Description Milos Malik 2011-02-25 12:15:10 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-72.el6.noarch
selinux-policy-targeted-3.7.19-72.el6.noarch
selinux-policy-mls-3.7.19-72.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. install MLS policy on a RHEL-6 machine
2. modify /etc/selinux/config so that the machine will start up with MLS policy in permissive mode
3. modify /boot/grub/grub.conf so that the machine will start up into single-user mode
4. run 'touch /.autorelabel'
5. run 'reboot'
6. log in as root via console
7. run 'reboot' and search for 'type=' messages in the console
  
Actual results:
type=1400 audit(1298633324.629:4): avc:  denied  { setfscreate } for  pid=682 comm="lvm" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1298633324.687:5): avc:  denied  { setfscreate } for  pid=682 comm="lvm" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tclass=process

Expected results:
no AVCs

Comment 5 Milos Malik 2011-02-25 13:01:58 UTC

Easy to reproduce with following tools:
 * lvdisplay
 * pvdisplay
 * vgdisplay

Comment 6 Daniel Walsh 2011-02-25 15:28:11 UTC

Looks like we need f15 lvm policy back ported to RHEL6.

How did rhel6 get so old so fast.

Comment 7 Miroslav Grepl 2011-02-25 15:34:56 UTC

I am seeing only one difference

+kernel_get_sysvipc_info(lvm_t)

Comment 8 Miroslav Grepl 2011-02-25 15:37:59 UTC

Oops, you are right. Bad diff.

Comment 9 Miroslav Grepl 2011-02-25 15:39:48 UTC

(In reply to comment #8)
> Oops, you are right. Bad diff.

It was diff with F14 policy.

Comment 10 Miroslav Grepl 2011-03-01 13:56:54 UTC

Fixed in selinux-policy-3.7.19-74.el6

Comment 13 errata-xmlrpc 2011-05-19 11:57:49 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.