Bug 979037 - Need policy for OpenLMI-Storage
Need policy for OpenLMI-Storage
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-27 09:20 EDT by Jan Safranek
Modified: 2013-08-04 19:00 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-69.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-04 19:00:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
output of ausearch -m avc (3.50 MB, text/plain)
2013-06-27 09:20 EDT, Jan Safranek
no flags Details
second round of AVCs (1.07 MB, text/plain)
2013-07-31 11:38 EDT, Jan Safranek
no flags Details

  None (edit)
Description Jan Safranek 2013-06-27 09:20:36 EDT
Created attachment 766160 [details]
output of ausearch -m avc

OpenLMI-Storage provider needs a policy. The provider should be allowed to manipulate with storage stuff, i.e. create/delete/modify/monitor partitions, raids, LVM, mounts etc. and also probe the system for storage devices.

As instructed, I created dummy policy and put it into kernel:

$ cat storagepol.te 
policy_module(mypol,1.0)

pegasus_openlmi_domain_template(storage)

$ make -f /usr/share/selinux/devel/Makefile storagepol.pp
$ semodule -i storagepol.pp


$ chcon -t pegasus_openlmi_storage_exec_t /usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt
(that's the provider executable)

Audit messages from my test suite are attached (incl. many duplicate messages).
Comment 1 Jan Safranek 2013-06-27 09:25:57 EDT
Looking at the list, it contains some things, that can be easily fixed on OpenLMI side, e.g. writing to /tmp/log is just for debugging purposes. Also creating /tmp/sqGeMO and mounting a btrfs to it (!) should be probably fixed in Blivet, at least it should use /run/blivet

Feel free to suggest which bad practices should we avoid, I guess there is plenty of them, Blivet is from Anaconda and it was never meant to be confined.
Comment 2 Miroslav Grepl 2013-06-27 15:18:25 EDT
Going to work on this tomorrow. I got also a policy with AVC msgs for another provider.
Comment 3 Miroslav Grepl 2013-07-26 04:08:37 EDT
Jan,
could you pls add to your mypol.te the following rules

type pegasus_openlmi_storage_tmp_t;
files_tmp_file(pegasus_openlmi_storage_tmp_t)

manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})

storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_networking_t)

modutils_domtrans_insmod(pegasus_openlmi_storage_t)

udev_domtrans(pegasus_openlmi_storage_t)

optional_policy(`
    lvm_domtrans(pegasus_openlmi_storage_t)
')

optional_policy(`
    mount_domtrans(pegasus_openlmi_storage_t)
')

optional_policy(`
    raid_domtrans_mdadm(pegasus_openlmi_storage_t)   
')


and re-test it with these rules. Should cleanup AVCs.

Thank you.
Comment 4 Jan Safranek 2013-07-31 11:38:59 EDT
Created attachment 781201 [details]
second round of AVCs

New list of AVCs, generated with installed selinux-policy-targeted-3.12.1-67.fc20.noarch
Comment 5 Miroslav Grepl 2013-08-01 04:03:47 EDT
# restorecon -R -v /usr/sbin/sshd

will fix initrc_t.
Comment 6 Miroslav Grepl 2013-08-01 04:57:52 EDT
I added additional fixes.
Comment 7 Fedora Update System 2013-08-02 09:29:56 EDT
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-69.fc19
Comment 8 Fedora Update System 2013-08-02 17:55:14 EDT
Package selinux-policy-3.12.1-69.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14089/selinux-policy-3.12.1-69.fc19
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2013-08-04 19:00:21 EDT
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.