Bug 732806 - VDSM needs better sellinux policy
Summary: VDSM needs better sellinux policy
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 682015
TreeView+ depends on / blocked
 
Reported: 2011-08-23 17:00 UTC by Saggi Mizrahi
Modified: 2011-09-06 13:04 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-06 13:04:17 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Saggi Mizrahi 2011-08-23 17:00:52 UTC 
Description of problem:
When a system where VDSM was previously installed without selinux on not all VDSM related files are modified to correct context upon relabeling

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 3 Saggi Mizrahi 2011-08-29 09:50:45 UTC 
our policy only covers
/rhev                                              directory          system_u:object_r:mnt_t:s0 
/rhev(/[^/]*)?                                     directory          system_u:object_r:mnt_t:s0 

this means that files are only covered this far /rhev/datacenter/*/
we need to add /rhev/datacenter/*/blockSD and the rest of the tree
Comment 7 Saggi Mizrahi 2011-09-05 08:15:46 UTC 
The fix is that everything under /rhev/* should get the mnt_t context.
Comment 8 Ayal Baron 2011-09-05 08:24:47 UTC 
(In reply to comment #7)
> The fix is that everything under /rhev/* should get the mnt_t context.

everything under /rhev/* *recursively* should get the mnt_t context.
Comment 9 Miroslav Grepl 2011-09-06 13:04:17 UTC 
Yes, labels are not changed because of

/rhev/[^/]*/.*          <<none>>

which says labels won't be changed. 

If you mount it with enabled SELinux it will work correct. 

Otherwise you can re-mount /rhev or use 

chcon -R -t mnt_t /rhev
Note You need to log in before you can comment on or make changes to this bug.