Bug 849176 - avc denials with dlm_controld
avc denials with dlm_controld
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-17 11:23 EDT by Jeff Layton
Modified: 2014-06-18 03:42 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-27 19:03:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Layton 2012-08-17 11:23:38 EDT
While setting up GFS2 on f17, I got some SELinux denials:

SELinux is preventing /usr/sbin/dlm_controld from 'read, write' accesses on the file qb-cfg-request-1344-1564-16-header.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that dlm_controld should be allowed read write access on the qb-cfg-request-1344-1564-16-header file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dlm_controld /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:dlm_controld_t:s0
Target Context                system_u:object_r:corosync_tmpfs_t:s0
Target Objects                qb-cfg-request-1344-1564-16-header [ file ]
Source                        dlm_controld
Source Path                   /usr/sbin/dlm_controld
Port                          <Unknown>
Host                          gnode1.example.com
Source RPM Packages           dlm-3.99.5-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-145.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     gnode1.example.com
Platform                      Linux gnode1.example.com 3.5.1-1.fc17.x86_64 #1
                              SMP Thu Aug 9 17:50:43 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    2012-08-17 11:00:09 EDT
Last Seen                     2012-08-17 11:00:59 EDT
Local ID                      2bf1bba5-2330-4698-a353-245cbf4b58bf

Raw Audit Messages
type=AVC msg=audit(1345215659.222:123): avc:  denied  { read write } for  pid=1564 comm="dlm_controld" name="qb-cfg-request-1344-1564-16-header" dev="tmpfs" ino=20970 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file


type=AVC msg=audit(1345215659.222:123): avc:  denied  { open } for  pid=1564 comm="dlm_controld" path="/dev/shm/qb-cfg-request-1344-1564-16-header" dev="tmpfs" ino=20970 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file


type=SYSCALL msg=audit(1345215659.222:123): arch=x86_64 syscall=open success=yes exit=EBADF a0=7fff43a39270 a1=2 a2=180 a3=7fff43a38e80 items=0 ppid=1 pid=1564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dlm_controld exe=/usr/sbin/dlm_controld subj=system_u:system_r:dlm_controld_t:s0 key=(null)

Hash: dlm_controld,dlm_controld_t,corosync_tmpfs_t,file,read,write

audit2allow

#============= dlm_controld_t ==============
#!!!! The source type 'dlm_controld_t' can write to a 'file' of the following types:
# sysfs_t, dlm_controld_tmpfs_t, sysctl_net_t, configfs_t, dlm_controld_var_log_t, dlm_controld_var_run_t, cluster_var_lib_t, initrc_tmp_t, root_t

allow dlm_controld_t corosync_tmpfs_t:file { read write open };

audit2allow -R

#============= dlm_controld_t ==============
#!!!! The source type 'dlm_controld_t' can write to a 'file' of the following types:
# sysfs_t, dlm_controld_tmpfs_t, sysctl_net_t, configfs_t, dlm_controld_var_log_t, dlm_controld_var_run_t, cluster_var_lib_t, initrc_tmp_t, root_t

allow dlm_controld_t corosync_tmpfs_t:file { read write open };

----------------------[snip]-------------------

Here's a dump of the audit.log. I tried it several times so there may be some duplicates in there:

type=AVC msg=audit(1345215444.775:113): avc:  denied  { create } for  pid=1437 comm="dlm_controld" name="dlm" scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1345215444.775:113): arch=c000003e syscall=83 success=no exit=-13 a0=7fee6f1e08c6 a1=1ff a2=a0 a3=3 items=0 ppid=1 pid=1437 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
type=AVC msg=audit(1345215521.537:116): avc:  denied  { create } for  pid=1463 comm="dlm_controld" name="dlm" scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1345215521.537:116): arch=c000003e syscall=83 success=no exit=-13 a0=7f56b77128c6 a1=1ff a2=a0 a3=3 items=0 ppid=1 pid=1463 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
type=AVC msg=audit(1345215609.390:119): avc:  denied  { read write } for  pid=1534 comm="dlm_controld" name="qb-cfg-request-1344-1534-16-header" dev="tmpfs" ino=20001 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1345215609.390:119): arch=c000003e syscall=2 success=no exit=-13 a0=7fff3590e1e0 a1=2 a2=180 a3=7fff3590ddf0 items=0 ppid=1 pid=1534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
type=AVC msg=audit(1345215659.222:123): avc:  denied  { read write } for  pid=1564 comm="dlm_controld" name="qb-cfg-request-1344-1564-16-header" dev="tmpfs" ino=20970 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file
type=AVC msg=audit(1345215659.222:123): avc:  denied  { open } for  pid=1564 comm="dlm_controld" path="/dev/shm/qb-cfg-request-1344-1564-16-header" dev="tmpfs" ino=20970 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1345215659.222:123): arch=c000003e syscall=2 success=yes exit=9 a0=7fff43a39270 a1=2 a2=180 a3=7fff43a38e80 items=0 ppid=1 pid=1564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
type=AVC msg=audit(1345215689.346:131): avc:  denied  { execute } for  pid=1606 comm="dlm_controld" name="dlm_stonith" dev="dm-1" ino=400854 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1345215689.346:131): avc:  denied  { read open } for  pid=1606 comm="dlm_controld" path="/usr/sbin/dlm_stonith" dev="dm-1" ino=400854 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1345215689.346:131): avc:  denied  { execute_no_trans } for  pid=1606 comm="dlm_controld" path="/usr/sbin/dlm_stonith" dev="dm-1" ino=400854 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1345215689.346:131): arch=c000003e syscall=59 success=yes exit=0 a0=7fff43a3b098 a1=7fff43a3b190 a2=7fff43a3e648 a3=7f6975f46850 items=0 ppid=1564 pid=1606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_stonith" exe="/usr/sbin/dlm_stonith" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
Comment 1 Miroslav Grepl 2012-08-20 05:40:44 EDT
Fixed in selinux-policy-3.10.0-146.fc17.noarch
Comment 2 Fedora Update System 2012-08-20 09:10:12 EDT
selinux-policy-3.10.0-146.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-146.fc17
Comment 3 Fedora Update System 2012-08-21 05:50:52 EDT
Package selinux-policy-3.10.0-146.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-146.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-12355/selinux-policy-3.10.0-146.fc17
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-08-27 19:03:58 EDT
selinux-policy-3.10.0-146.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.