691822 – GFS2 won't mount -> /dev/dlm* nodes have incorrect selinux label

Bug 691822 - GFS2 won't mount -> /dev/dlm* nodes have incorrect selinux label

Summary: GFS2 won't mount -> /dev/dlm* nodes have incorrect selinux label

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-29 14:54 UTC by thomas
Modified:	2011-04-24 23:59 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.9.7-40.fc14
Clone Of:
Environment:
Last Closed:	2011-04-24 23:59:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description thomas 2011-03-29 14:54:21 UTC

Description of problem:

Unable to mount gfs2 file systems after upgrading to latest selinux-policy and SELinux=enforcing

The SELinux fcontext (selinux-policy-3.9.7-37.fc14.noarch) for the /dev nodes created by dlm/dlm_controld are set to device_t when they should be dlm_control_device_t for, minimally; 

/dev/dlm-control 
/dev/dlm-monitor
/dev/dlm_plock
/dev/dlm_rgmanager

Not sure if dlm_rgmanager needs to have the same fcontext. At present, it's also set to device_t.

Version-Release number of selected component (if applicable):

selinux-policy-3.9.7-37.fc14.noarch
cman-3.1.1-1.fc14.x86_64

How reproducible:

With selinux=enforcing, it's every time the system attempts to mount a gfs2 filesystem after restarting the cluster (/etc/init.d/cman restart).

Steps to Reproduce:

1. Upgrade to selinux-policy-3.9.7-37.fc14 & selinux=Enforcing
2. service cman start
3. service gfs2 start
  
Actual results:

gfs_controld fails to start (get error "dlm: no local IP address has been set", gfs2 file system doesn't mount and the following AVC's appear in /var/log/audit/audit.log:

type=AVC msg=audit(1301325627.439:67): avc:  denied  { getattr } for  pid=6086 comm="dlm_controld" path="/dev/dlm-control" dev=devtmpfs ino=26028 scontext=unconfined_u:system_
r:dlm_controld_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1301325627.439:68): avc:  denied  { read } for  pid=6086 comm="dlm_controld" name="dlm-monitor" dev=devtmpfs ino=26030 scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1301325627.439:68): avc:  denied  { open } for  pid=6086 comm="dlm_controld" name="dlm-monitor" dev=devtmpfs ino=26030 scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1301325627.452:69): avc:  denied  { write } for  pid=6086 comm="dlm_controld" name="dlm_plock" dev=devtmpfs ino=26036 scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


Expected results:

Able to mount gfs2 file systems (and no AVCs for dlm_controld while with SELINUX=Enforcing


Additional info:

After updating the fcontexts for /dev/dlm* to dlm_control_device_t (from device_t) and updating load_kernel_modules() function in the cman init script:

fcontext updates:

semanage fcontext -a -t dlm_control_device_t -f -c /dev/dlm-control
semanage fcontext -a -t dlm_control_device_t -f -c /dev/dlm_plock
semanage fcontext -a -t dlm_control_device_t -f -c /dev/dlm-monitor
semanage fcontext -a -t dlm_control_device_t -f -c /dev/dlm_rgmanager

/etc/init.d/cman update:

load_kernel_modules()
{
        errmsg=$( modprobe configfs 2>&1 ) || return 1
        errmsg=$( modprobe dlm 2>&1 ) || return 1
        restorecon -F /dev/dlm* || return 1 # Added
}

Cluster now starts as expected, gfs2 file systems can be mounted, etc.

So I think the following things need to be addressed:

RHCS needs to ensure the DLM device nodes - /dev/dlm{-control, -monitor, _plock, _rgmanager} - get set to the correct fcontext (dlm_control_device_t) and not their present "device_t".

selinux-policy needs to add FC specs for all of the above DLM nodes.

Comment 1 Daniel Walsh 2011-03-29 16:36:48 UTC

Miroslav, lets add

/dev/dlm.*		-c	gen_context(system_u:object_r:dlm_control_device_t,s0)

to F13,F14,F15 and RHEL6

Comment 2 Fabio Massimo Di Nitto 2011-03-29 17:15:08 UTC

The patch to cman init is kind of moot because the devices don't exist at that time.

Also, as a side note (not entirely sure that is relevant), those devices are created dynamically based on the services using them. Other than /dev/dlm* there is no other portion of the name that is constant.

Fabio

Comment 3 Dominick Grift 2011-03-29 18:34:34 UTC

What creates these nodes then and when?

Comment 4 Fabio Massimo Di Nitto 2011-03-29 18:48:57 UTC

fs/dlm kernel via udev. If that fails, libdlm from userland will do it as fall back.

libdlm users will request a lock space with "name" and that will become dlm_name. Each name is unique.

Fabio

Comment 5 Miroslav Grepl 2011-04-04 16:48:14 UTC

Fixed in selinux-policy-3.9.7-39.fc14

Comment 6 Fedora Update System 2011-04-21 14:50:05 UTC

selinux-policy-3.9.7-40.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-40.fc14

Comment 7 Fedora Update System 2011-04-21 22:25:39 UTC

Package selinux-policy-3.9.7-40.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-40.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-40.fc14
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2011-04-24 23:58:51 UTC

selinux-policy-3.9.7-40.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.