Description of problem: Version-Release number of selected component (if applicable): lvm2-2.02.84-1.el5 selinux-policy-2.4.6-302.el5 selinux-policy-devel-2.4.6-302.el5 selinux-policy-minimum-2.4.6-302.el5 selinux-policy-mls-2.4.6-302.el5 selinux-policy-strict-2.4.6-302.el5 selinux-policy-targeted-2.4.6-302.el5 How reproducible: always Steps to Reproduce: 1. install MLS policy on a RHEL-5 machine 2. modify /etc/selinux/config so that the machine will start up with MLS policy in permissive mode 3. modify /boot/grub/grub.conf so that the machine will start up into single-user mode 4. run 'touch /.autorelabel' 5. run 'reboot' 6. log in as root via console 7. run 'reboot' and search for 'type=' messages in the console Actual results: type=1400 audit(1300788795.499:3): avc: denied { setfscreate } for pid=1395 comm="lvm.static" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tclass=process type=1400 audit(1300788795.516:4): avc: denied { setfscreate } for pid=1395 comm="lvm.static" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tclass=process Expected results: no AVCs
Relevant part of the boot-up messages seen in console: failed to stat() /dev/mapper/no failed to stat() /dev/mapper/block failed to stat() /dev/mapper/devices failed to stat() /dev/mapper/found Setting up Logical Volume Management: /var/lock/lvm: setfscreatecon failed: Permission denied (null): setfscreatecon failed: Permission denied No volume groups found [ OK ] Checking filesystems Checking all file systems.
The same AVCs but printed by ausearch: ---- time->Tue Mar 22 06:25:07 2011 type=SYSCALL msg=audit(1300789507.470:14): arch=c0000032 syscall=1027 success=no exit=-13 a0=3 a1=6000000000bc3800 a2=20 a3=c00000000000038b items=0 ppid=2462 pid=2463 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vgs" exe="/usr/sbin/lvm" subj=system_u:system_r:lvm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1300789507.470:14): avc: denied { setfscreate } for pid=2463 comm="vgs" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tclass=process ---- time->Tue Mar 22 06:25:07 2011 type=SYSCALL msg=audit(1300789507.471:15): arch=c0000032 syscall=1027 success=no exit=-13 a0=3 a1=0 a2=0 a3=c00000000000038b items=0 ppid=2462 pid=2463 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vgs" exe="/usr/sbin/lvm" subj=system_u:system_r:lvm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1300789507.471:15): avc: denied { setfscreate } for pid=2463 comm="vgs" scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tclass=process ----
I will backport from RHEL6.
Fixed in selinux-policy-2.4.6-304.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html