Targeted policy does not allow lvm output redirection ?

Davide Bolcioni dblistsub-fedora at yahoo.it
Mon Apr 16 11:08:37 UTC 2007 

Greetings,
I tried the following:

  lvm vgs -o vg_name,vg_extent_size --units=k | cat > /tmp/vgs2
  lvm vgs -o vg_name,vg_extent_size --units=k > /tmp/vgs1

and obtained

  -rw-r--r-- 1 root root  0 Apr 15 11:49 /tmp/vgs1
  -rw-r--r-- 1 root root 28 Apr 15 11:49 /tmp/vgs2

but as you can see in the attached /var/log/audit.d/audit.log fragment,
writing from an executable running in the lvm_t context to an object labeled 
with the tmp_t context is not allowed by the targeted policy.

My setup:

  libselinux-1.33.4-2.fc6
  selinux-policy-targeted-2.4.6-49.fc6
  selinux-policy-2.4.6-49.fc6

Should I open a Bugzilla for this ?

Thank you for your consideration,
Davide Bolcioni
-- 
There is no place like /home.
-------------- next part --------------
type=USER_ACCT msg=audit(1171320301.650:41): user pid=6201 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=news : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1171320301.651:42): login pid=6201 uid=0 old auid=4294967295 new auid=9
type=USER_START msg=audit(1171320301.656:43): user pid=6201 uid=0 auid=9 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=news : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1171320301.656:44): user pid=6201 uid=0 auid=9 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=news : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=AVC msg=audit(1176630582.797:103): avc:  denied  { write } for  pid=6201 comm="lvm" name="vgs1" dev=tmpfs ino=33551 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1176630582.797:103): arch=c000003e syscall=59 success=yes exit=0 a0=8eaa80 a1=8d61b0 a2=8f4300 a3=6d items=0 ppid=5575 pid=6201 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="lvm" exe="/sbin/lvm.static" subj=user_u:system_r:lvm_t:s0 key=(null)
type=AVC msg=audit(1176630585.345:104): avc:  denied  { write } for  pid=6201 comm="lvm" name=".cache" dev=dm-1 ino=1933743 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:lvm_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1176630585.345:104): arch=c000003e syscall=2 success=no exit=-13 a0=89da10 a1=42 a2=1ff a3=1 items=0 ppid=5575 pid=6201 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="lvm" exe="/usr/sbin/lvm" subj=user_u:system_r:lvm_t:s0 key=(null)

More information about the fedora-selinux-list mailing list