lvconvert does not work in enforcing, no AVC, instead I get SELINUX_ERR

Nickolas Gray nick at magitekltd.com
Wed May 27 23:33:01 UTC 2009 

I am trying to run the "lvconvert" command in enforcing and cannot  
determine how to do it.

I am using the domain type lvm_t and running lvconvert inside a bash  
script. The command works in permissive but fails in enforcing.

with the following audit trail.

----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009  
10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052  
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00  
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009  
10:31:40.907:208246) :  cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009  
10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes  
exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1  
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root  
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7  
ses=1 comm=lvconvert exe=/sbin/lvm  
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009  
10:31:40.907:208246) : security_validate_transition:  denied for  
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023  
newcontext=system_u:object_r:device_t:s0  
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009  
10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108  
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00  
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009  
10:31:40.908:208247) :  cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009  
10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes  
exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1  
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root  
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7  
ses=1 comm=lvconvert exe=/sbin/lvm  
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009  
10:31:40.908:208247) : security_validate_transition:  denied for  
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023  
newcontext=system_u:object_r:device_t:s0  
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009  
10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142  
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00  
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009  
10:31:40.983:208258) :  cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009  
10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes  
exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1  
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root  
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7  
ses=1 comm=lvconvert exe=/sbin/lvm  
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009  
10:31:40.983:208258) : security_validate_transition:  denied for  
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023  
newcontext=system_u:object_r:device_t:s0  
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009  
10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145  
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00  
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009  
10:31:40.984:208260) :  cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009  
10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes  
exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1  
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root  
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7  
ses=1 comm=lvconvert exe=/sbin/lvm  
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009  
10:31:40.984:208260) : security_validate_transition:  denied for  
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023  
newcontext=system_u:object_r:device_t:s0  
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----

There are no AVCs associated with the error and I am using the  
following policy statements ( where jcdx_fsbackup_t is the domain type  
of the entire script)

lvm_domtrans(jcdx_fsbackup_t)
mls_file_write_all_levels(lvm_t)
allow lvm_t lvm_control_t:chr_file write;
allow lvm_t lvm_lock_t:dir { write remove_name add_name };
allow lvm_t lvm_metadata_t:dir { write remove_name add_name };

At this point the script is

----------
#!/bin/bash

/sbin/lvconvert -s vg00/root snap
----------

The policy is selinux-policy-3.5.13-57.fc10,

A push in the right direction would be appreciated.


--

"THIS time it really is fixed. I mean, how many times can we get it  
wrong? At some point, we just have to run out of bad ideas.."

Linus Torvalds



Nickolas Gray
nick at magitek.ltd

More information about the selinux mailing list