lvconvert does not work in enforcing, no AVC, instead I get SELINUX_ERR
Nickolas Gray
nick at magitekltd.com
Wed May 27 23:33:01 UTC 2009
I am trying to run the "lvconvert" command in enforcing and cannot
determine how to do it.
I am using the domain type lvm_t and running lvconvert inside a bash
script. The command works in permissive but fails in enforcing.
with the following audit trail.
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
10:31:40.907:208246) : cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes
exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
ses=1 comm=lvconvert exe=/sbin/lvm
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009
10:31:40.907:208246) : security_validate_transition: denied for
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:device_t:s0
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
10:31:40.908:208247) : cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes
exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
ses=1 comm=lvconvert exe=/sbin/lvm
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009
10:31:40.908:208247) : security_validate_transition: denied for
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:device_t:s0
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
10:31:40.983:208258) : cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes
exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
ses=1 comm=lvconvert exe=/sbin/lvm
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009
10:31:40.983:208258) : security_validate_transition: denied for
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:device_t:s0
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
10:31:40.984:208260) : cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes
exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
ses=1 comm=lvconvert exe=/sbin/lvm
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009
10:31:40.984:208260) : security_validate_transition: denied for
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:device_t:s0
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
There are no AVCs associated with the error and I am using the
following policy statements ( where jcdx_fsbackup_t is the domain type
of the entire script)
lvm_domtrans(jcdx_fsbackup_t)
mls_file_write_all_levels(lvm_t)
allow lvm_t lvm_control_t:chr_file write;
allow lvm_t lvm_lock_t:dir { write remove_name add_name };
allow lvm_t lvm_metadata_t:dir { write remove_name add_name };
At this point the script is
----------
#!/bin/bash
/sbin/lvconvert -s vg00/root snap
----------
The policy is selinux-policy-3.5.13-57.fc10,
A push in the right direction would be appreciated.
--
"THIS time it really is fixed. I mean, how many times can we get it
wrong? At some point, we just have to run out of bad ideas.."
Linus Torvalds
Nickolas Gray
nick at magitek.ltd
More information about the fedora-selinux-list
mailing list