lvconvert does not work in enforcing, no AVC, instead I get SELINUX_ERR

Stephen Smalley sds at tycho.nsa.gov
Thu May 28 12:38:29 UTC 2009 

On Wed, 2009-05-27 at 18:33 -0500, Nickolas Gray wrote:
> I am trying to run the "lvconvert" command in enforcing and cannot  
> determine how to do it.
> 
> I am using the domain type lvm_t and running lvconvert inside a bash  
> script. The command works in permissive but fails in enforcing.
> 
> with the following audit trail.
> 
> ----
> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009  
> 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052  
> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00  
> obj=siterep_u:object_r:device_t:s15:c0.c1023
> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009  
> 10:31:40.907:208246) :  cwd=/home/siterep1
> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009  
> 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes  
> exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1  
> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root  
> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7  
> ses=1 comm=lvconvert exe=/sbin/lvm  
> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
> node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009  
> 10:31:40.907:208246) : security_validate_transition:  denied for  
> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023  
> newcontext=system_u:object_r:device_t:s0  
> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file

You are violating a MLS validatetrans constraint (in policy/mls) that
restricts the ability to relabel a file to a different level unless the
calling domain has the appropriate type attribute.

In this case, you are downgrading the device from s15:c0.c1023
(systemhigh) to s0 (systemlow).

If you want lvm to be able to do that, you'd have to give it
mlsfiledowngrade, i.e.
$ cat lvmmls.te
policy_module(lvmmls, 1.0)
require {
	type lvm_t;
}
mls_file_downgrade(lvm_t)
$ make -f /usr/share/selinux/devel/Makefile lvmmls.pp
$ sudo semodule -i lvmmls.pp

> ----
> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009  
> 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108  
> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00  
> obj=siterep_u:object_r:device_t:s15:c0.c1023
> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009  
> 10:31:40.908:208247) :  cwd=/home/siterep1
> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009  
> 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes  
> exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1  
> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root  
> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7  
> ses=1 comm=lvconvert exe=/sbin/lvm  
> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
> node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009  
> 10:31:40.908:208247) : security_validate_transition:  denied for  
> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023  
> newcontext=system_u:object_r:device_t:s0  
> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
> ----
> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009  
> 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142  
> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00  
> obj=siterep_u:object_r:device_t:s15:c0.c1023
> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009  
> 10:31:40.983:208258) :  cwd=/home/siterep1
> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009  
> 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes  
> exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1  
> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root  
> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7  
> ses=1 comm=lvconvert exe=/sbin/lvm  
> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
> node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009  
> 10:31:40.983:208258) : security_validate_transition:  denied for  
> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023  
> newcontext=system_u:object_r:device_t:s0  
> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
> ----
> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009  
> 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145  
> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00  
> obj=siterep_u:object_r:device_t:s15:c0.c1023
> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009  
> 10:31:40.984:208260) :  cwd=/home/siterep1
> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009  
> 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes  
> exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1  
> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root  
> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7  
> ses=1 comm=lvconvert exe=/sbin/lvm  
> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
> node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009  
> 10:31:40.984:208260) : security_validate_transition:  denied for  
> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023  
> newcontext=system_u:object_r:device_t:s0  
> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
> ----
> 
> There are no AVCs associated with the error and I am using the  
> following policy statements ( where jcdx_fsbackup_t is the domain type  
> of the entire script)
> 
> lvm_domtrans(jcdx_fsbackup_t)
> mls_file_write_all_levels(lvm_t)
> allow lvm_t lvm_control_t:chr_file write;
> allow lvm_t lvm_lock_t:dir { write remove_name add_name };
> allow lvm_t lvm_metadata_t:dir { write remove_name add_name };
> 
> At this point the script is
> 
> ----------
> #!/bin/bash
> 
> /sbin/lvconvert -s vg00/root snap
> ----------
> 
> The policy is selinux-policy-3.5.13-57.fc10,
> 
> A push in the right direction would be appreciated.
> 
> 
> --
> 
> "THIS time it really is fixed. I mean, how many times can we get it  
> wrong? At some point, we just have to run out of bad ideas.."
> 
> Linus Torvalds
> 
> 
> 
> Nickolas Gray
> nick at magitek.ltd
> 
> 
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list