+++ This bug was initially created as a clone of Bug #709080 +++ Description of problem: Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-306.el5 selinux-policy-devel-2.4.6-306.el5 selinux-policy-strict-2.4.6-306.el5 selinux-policy-mls-2.4.6-306.el5 selinux-policy-2.4.6-306.el5 selinux-policy-minimum-2.4.6-306.el5 How reproducible: always Steps to Reproduce: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls # id -Z root:sysadm_r:sysadm_t:SystemLow-SystemHigh # pwd /root # lvmdump Creating dump directory: /root/lvmdump-<NODE-NAME>-20110530143543 Gathering LVM & device-mapper version info... Gathering dmsetup info... Gathering process info... Gathering console messages... Gathering /etc/lvm info... Gathering /dev listing... Gathering /sys/block listing... Creating report tarball in /root/lvmdump-<NODE-NAME>-20110530143543.tgz... # Actual results: multiple AVCs of this kind ---- time->Mon May 30 10:35:43 2011 type=SYSCALL msg=audit(1306766143.615:109): arch=c000003e syscall=59 success=yes exit=0 a0=12f11ee0 a1=12f125f0 a2=12f0a8a0 a3=65 items=0 ppid=2445 pid=2459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="dmsetup" exe="/sbin/dmsetup" subj=root:sysadm_r:lvm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1306766143.615:109): avc: denied { append } for pid=2459 comm="dmsetup" path="/root/lvmdump-<NODE-NAME>-20110530143543/lvmdump.log" dev=dm-0 ino=2543447 scontext=root:sysadm_r:lvm_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_t:s0 tclass=file type=AVC msg=audit(1306766143.615:109): avc: denied { write } for pid=2459 comm="dmsetup" path="/root/lvmdump-<NODE-NAME>-20110530143543/dmsetup_ls_tree" dev=dm-0 ino=2543452 scontext=root:sysadm_r:lvm_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_t:s0 tclass=file ---- Expected results: no AVCs --- Additional comment from mgrepl on 2011-05-31 05:54:40 EDT --- This is a leak. lvmdump runs in sysadm_t domain but then executes dmsetup which has a transition to lvm_t. Is this always created in /root? --- Additional comment from mmalik on 2011-05-31 05:59:52 EDT --- No, the lvmdump directory/file is created in current working directory. --- Additional comment from mbroz on 2011-05-31 06:11:19 EDT --- Not only dmsetup also it runs lvm. (And some other programs to parse output) It should be very similar to sos report - how it is handled there? --- Additional comment from mbroz on 2011-05-31 06:14:15 EDT --- There is option for directory, default should be $HOME/lvmdump-$HOSTNAME-$NOW/ What's the problem with creating directory in $HOME? or it is broken somehow? --- Additional comment from mgrepl on 2011-05-31 07:15:41 EDT --- You are right. I see it in /usr/sbin/lvmdump bash script. "append" is caused by 2>> \"$log\ which could be allowed by allow lvm_t sysadm_home_t:file append; But we don't want to allow "write" access to /root directory and this is caused by --- log "\"$DMSETUP\" info -c > \"$dir/dmsetup_info\" 2>> \"$log\"" log "\"$DMSETUP\" table > \"$dir/dmsetup_table\" 2>> \"$log\"" log "\"$DMSETUP\" status > \"$dir/dmsetup_status\" 2>> \"$log\"" log "\"$DMSETUP\" ls --tree > \"$dir/dmsetup_ls_tree\" 2>> \"$log\"" -- which could be fixed by log "\"$DMSETUP\" info -c | cat > \"$dir/dmsetup_ls_tree\" 2>> \"$log\"" or just append log "\"$DMSETUP\" info -c >> \"$dir/dmsetup_ls_tree\" 2>> \"$log\"" --- Additional comment from mbroz on 2011-05-31 08:24:46 EDT --- Why is append different here? (It creates new file). --- Additional comment from mgrepl on 2011-05-31 10:42:08 EDT --- Not sure what you think. $log file is created by script running as sysadm_t. --- Additional comment from mbroz on 2011-05-31 11:03:04 EDT --- $dir/dmsetup_ls_tree" is not log file, it is separate per-command report file. And this file is created by dmsetup. For log file we are appending output already but only stderr go there. Anyway, if it is not selinux policy problem but only patch for lvmdump, please reassign it to lvm2 package, I'll fix it. --- Additional comment from dwalsh on 2011-05-31 11:06:58 EDT --- If you use script redirection, the shell is actually creating opening the file and handing the file descriptor to the app running within the shell. If an confined app is handed an open file descriptor like > "$dir/dmsetup_ls_tree" it will require the ability to write to the open file. Write allows the confined domain, the ability to truncate the file. If you open the file with >> "$dir/dmsetup_ls_tree", the shell will hand the confined domain the ability to append only, and this will block the ability to truncate. We have a rather large rule that allows confined domains to append to home directory content but not write.
Fix in lvm2-2.02.84-4.el5.
No AVCs were found in /var/log/audit/audit.log after running the latest lvmdump with the latest selinux policies. Marking verified. 2.6.18-265.el5 lvm2-2.02.84-4.el5 BUILT: Thu Jun 2 05:04:32 CDT 2011 lvm2-cluster-2.02.84-3.el5 BUILT: Wed Apr 27 03:42:43 CDT 2011 device-mapper-1.02.63-3.el5 BUILT: Thu May 19 08:09:22 CDT 2011 device-mapper-event-1.02.63-3.el5 BUILT: Thu May 19 08:09:22 CDT 2011 cmirror-1.1.39-10.el5 BUILT: Wed Sep 8 16:32:05 CDT 2010 kmod-cmirror-0.1.22-3.el5 BUILT: Tue Dec 22 13:39:47 CST 2009 selinux-policy-2.4.6-309.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1071.html