Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-306.el5 selinux-policy-devel-2.4.6-306.el5 selinux-policy-strict-2.4.6-306.el5 selinux-policy-mls-2.4.6-306.el5 selinux-policy-2.4.6-306.el5 selinux-policy-minimum-2.4.6-306.el5 How reproducible: always Steps to Reproduce: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls # id -Z root:sysadm_r:sysadm_t:SystemLow-SystemHigh # pwd /root # lvmdump Creating dump directory: /root/lvmdump-<NODE-NAME>-20110530143543 Gathering LVM & device-mapper version info... Gathering dmsetup info... Gathering process info... Gathering console messages... Gathering /etc/lvm info... Gathering /dev listing... Gathering /sys/block listing... Creating report tarball in /root/lvmdump-<NODE-NAME>-20110530143543.tgz... # Actual results: multiple AVCs of this kind ---- time->Mon May 30 10:35:43 2011 type=SYSCALL msg=audit(1306766143.615:109): arch=c000003e syscall=59 success=yes exit=0 a0=12f11ee0 a1=12f125f0 a2=12f0a8a0 a3=65 items=0 ppid=2445 pid=2459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="dmsetup" exe="/sbin/dmsetup" subj=root:sysadm_r:lvm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306766143.615:109): avc: denied { append } for pid=2459 comm="dmsetup" path="/root/lvmdump-<NODE-NAME>-20110530143543/lvmdump.log" dev=dm-0 ino=2543447 scontext=root:sysadm_r:lvm_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_t:s0 tclass=file type=AVC msg=audit(1306766143.615:109): avc: denied { write } for pid=2459 comm="dmsetup" path="/root/lvmdump-<NODE-NAME>-20110530143543/dmsetup_ls_tree" dev=dm-0 ino=2543452 scontext=root:sysadm_r:lvm_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_t:s0 tclass=file ---- Expected results: no AVCs
This is a leak. lvmdump runs in sysadm_t domain but then executes dmsetup which has a transition to lvm_t. Is this always created in /root?
No, the lvmdump directory/file is created in current working directory.
Not only dmsetup also it runs lvm. (And some other programs to parse output) It should be very similar to sos report - how it is handled there?
There is option for directory, default should be $HOME/lvmdump-$HOSTNAME-$NOW/ What's the problem with creating directory in $HOME? or it is broken somehow?
You are right. I see it in /usr/sbin/lvmdump bash script. "append" is caused by 2>> \"$log\ which could be allowed by allow lvm_t sysadm_home_t:file append; But we don't want to allow "write" access to /root directory and this is caused by --- log "\"$DMSETUP\" info -c > \"$dir/dmsetup_info\" 2>> \"$log\"" log "\"$DMSETUP\" table > \"$dir/dmsetup_table\" 2>> \"$log\"" log "\"$DMSETUP\" status > \"$dir/dmsetup_status\" 2>> \"$log\"" log "\"$DMSETUP\" ls --tree > \"$dir/dmsetup_ls_tree\" 2>> \"$log\"" -- which could be fixed by log "\"$DMSETUP\" info -c | cat > \"$dir/dmsetup_ls_tree\" 2>> \"$log\"" or just append log "\"$DMSETUP\" info -c >> \"$dir/dmsetup_ls_tree\" 2>> \"$log\""
Why is append different here? (It creates new file).
Not sure what you think. $log file is created by script running as sysadm_t.
$dir/dmsetup_ls_tree" is not log file, it is separate per-command report file. And this file is created by dmsetup. For log file we are appending output already but only stderr go there. Anyway, if it is not selinux policy problem but only patch for lvmdump, please reassign it to lvm2 package, I'll fix it.
If you use script redirection, the shell is actually creating opening the file and handing the file descriptor to the app running within the shell. If an confined app is handed an open file descriptor like > "$dir/dmsetup_ls_tree" it will require the ability to write to the open file. Write allows the confined domain, the ability to truncate the file. If you open the file with >> "$dir/dmsetup_ls_tree", the shell will hand the confined domain the ability to append only, and this will block the ability to truncate. We have a rather large rule that allows confined domains to append to home directory content but not write.
(In reply to comment #8) > $dir/dmsetup_ls_tree" is not log file, it is separate per-command report file. > And this file is created by dmsetup. > Oops, I read $dir/$dmsetup_ls_tree.
I think append should be sufficient throughout the script.
There is small change needed in selinux-policy too. Actually I just tested new build selinux-policy-mls-2.4.6-308.el5 and it has already fix included. Returning it back to selinux-policy component. The lvmdump script part is addressed by bug #709388.
Fixed in selinux-policy-2.4.6-309.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html