Created attachment 766160 [details] output of ausearch -m avc OpenLMI-Storage provider needs a policy. The provider should be allowed to manipulate with storage stuff, i.e. create/delete/modify/monitor partitions, raids, LVM, mounts etc. and also probe the system for storage devices. As instructed, I created dummy policy and put it into kernel: $ cat storagepol.te policy_module(mypol,1.0) pegasus_openlmi_domain_template(storage) $ make -f /usr/share/selinux/devel/Makefile storagepol.pp $ semodule -i storagepol.pp $ chcon -t pegasus_openlmi_storage_exec_t /usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt (that's the provider executable) Audit messages from my test suite are attached (incl. many duplicate messages).
Looking at the list, it contains some things, that can be easily fixed on OpenLMI side, e.g. writing to /tmp/log is just for debugging purposes. Also creating /tmp/sqGeMO and mounting a btrfs to it (!) should be probably fixed in Blivet, at least it should use /run/blivet Feel free to suggest which bad practices should we avoid, I guess there is plenty of them, Blivet is from Anaconda and it was never meant to be confined.
Going to work on this tomorrow. I got also a policy with AVC msgs for another provider.
Jan, could you pls add to your mypol.te the following rules type pegasus_openlmi_storage_tmp_t; files_tmp_file(pegasus_openlmi_storage_tmp_t) manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir}) storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_networking_t) modutils_domtrans_insmod(pegasus_openlmi_storage_t) udev_domtrans(pegasus_openlmi_storage_t) optional_policy(` lvm_domtrans(pegasus_openlmi_storage_t) ') optional_policy(` mount_domtrans(pegasus_openlmi_storage_t) ') optional_policy(` raid_domtrans_mdadm(pegasus_openlmi_storage_t) ') and re-test it with these rules. Should cleanup AVCs. Thank you.
Created attachment 781201 [details] second round of AVCs New list of AVCs, generated with installed selinux-policy-targeted-3.12.1-67.fc20.noarch
# restorecon -R -v /usr/sbin/sshd will fix initrc_t.
I added additional fixes.
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-69.fc19
Package selinux-policy-3.12.1-69.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-14089/selinux-policy-3.12.1-69.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.