Bug 808967 - SELinux is preventing /usr/sbin/drbdadm from read access on the chr_file urandom.
SELinux is preventing /usr/sbin/drbdadm from read access on the chr_file uran...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 706615
  Show dependency treegraph
 
Reported: 2012-04-01 23:53 EDT by Major Hayden
Modified: 2012-04-04 17:11 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-110.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-04 17:11:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Major Hayden 2012-04-01 23:53:19 EDT
Description of problem:
type=AVC msg=audit(1333319512.971:51): avc:  denied  { read } for  pid=872 comm="drbdadm" name="urandom" dev="devtmpfs" ino=4641 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1333319512.971:51): avc:  denied  { open } for  pid=872 comm="drbdadm" name="urandom" dev="devtmpfs" ino=4641 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1333319512.971:51): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=41f76b a1=0 a2=0 a3=7fffb3eb6110 items=0 ppid=871 pid=872 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=drbdadm exe=/usr/sbin/drbdadm subj=unconfined_u:system_r:drbd_t:s0 key=(null)

Version-Release number of selected component (if applicable):
Fedora 15 - Rawhide
DRBD 8.3.11-*

How reproducible:
Start DRBD via the init script. (/etc/init.d/drbd start)

Steps to Reproduce:
1. yum -y install drbd
2. /etc/init.d/drbd start
3. echo $?
  
Actual results:
Return code 20 along with SELinux denials.

Expected results:
Init script starts successfully.

Additional info:
There is one additional denial that crops up during the init script but it's due to drbdadm phoning home (I'll be correcting that very soon).
Comment 1 Miroslav Grepl 2012-04-02 02:24:33 EDT
Fixed in selinux-policy-3.10.0-110.fc17
Comment 2 Major Hayden 2012-04-02 08:02:03 EDT
Thanks, Miroslav!
Comment 3 Fedora Update System 2012-04-03 03:44:28 EDT
selinux-policy-3.10.0-110.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-110.fc17
Comment 4 Fedora Update System 2012-04-04 17:11:15 EDT
selinux-policy-3.10.0-110.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.