VGScan and LVScan writing to tmp files

Ian Lists ian-list at securitypimp.com
Thu May 31 19:42:44 UTC 2007


Thank you, that worked great!

----- Original Message -----
From: "Daniel J Walsh" <dwalsh at redhat.com>
To: "Ian Lists" <ian-list at securitypimp.com>
Cc: fedora-selinux-list at redhat.com
Sent: Thursday, May 31, 2007 2:26:44 PM (GMT-0500) America/New_York
Subject: Re: VGScan and LVScan writing to tmp files

Ian Lists wrote:
> I am running into an issue on several RHEL5 servers when installing a Veritas ECC agent.  It appears that the agent is trying to use LVM commands to write to a temp file and SELinux is preventing it.  Does anyone have any ideas on how to resolve this issue.
>
> Thanks,
> Ian
>
>  
>
>
> type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) :  path=/usr/ecc/exec/MLR520/Out_file_1.tmp 
> type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) :  path=/usr/ecc/exec/MLR520/Err_file_2.tmp 
> type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) :  path=/usr/ecc/exec/MLR520/Out_file_1.tmp 
> type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) :  path=/usr/ecc/exec/MLR520/Err_file_2.tmp 
> type=SYSCALL msg=audit(05/31/2007 15:28:24.750:1074) : arch=i386 syscall=execve success=yes exit=0 a0=8191df0 a1=8191e48 a2=8191ea0 a3=8191e48 items=0 ppid=18497 pid=18518 auid=imarks uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=vgscan exe=/sbin/lvm.static subj=user_u:system_r:lvm_t:s0 key=(null) 
> type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc:  denied  { write } for  pid=18518 comm=vgscan name=Err_file_2.tmp dev=dm-4 ino=382125 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file 
> type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc:  denied  { write } for  pid=18518 comm=vgscan name=Out_file_1.tmp dev=dm-4 ino=382124 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file 
> type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc:  denied  { write } for  pid=18518 comm=vgscan name=Err_file_2.tmp dev=dm-4 ino=382125 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file 
> type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc:  denied  { write } for  pid=18518 comm=vgscan name=Out_file_1.tmp dev=dm-4 ino=382124 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file 
>
>
>
> type=SYSCALL msg=audit(05/31/2007 15:32:17.305:1121) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8440c70 a1=8042 a2=1ff a3=8042 items=0 ppid=18962 pid=18997 auid=imarks uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=lvm exe=/usr/sbin/lvm subj=user_u:system_r:lvm_t:s0 key=(null) 
> type=AVC msg=audit(05/31/2007 15:32:17.305:1121) : avc:  denied  { write } for  pid=18997 comm=lvm name=.cache dev=dm-0 ino=7003 scontext=user_u:system_r:lvm_t:s0 tcontext=root:object_r:lvm_etc_t:s0 tclass=file 
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   

The following commands should make it work.

# restorecon -R -v /etc/lvm
# semanage fcontext -a -t lvm_tmp_t /usr/ecc/exec/MLR520(/.*)?
# restorecon -R -v /usr/ecc/exec





More information about the fedora-selinux-list mailing list