lvconvert does not work in enforcing, no AVC, instead I get SELINUX_ERR

Nickolas Gray nick at magitekltd.com
Thu May 28 16:09:00 UTC 2009 

Dominic, Stephan

Thanks for the input. Let me digest this and I may have more questions.


On May 28, 2009, at 7:19 AM, Dominick Grift wrote:

> On Wed, 2009-05-27 at 18:33 -0500, Nickolas Gray wrote:
>> I am trying to run the "lvconvert" command in enforcing and cannot
>> determine how to do it.
>>
>> I am using the domain type lvm_t and running lvconvert inside a bash
>> script. The command works in permissive but fails in enforcing.
>>
>> with the following audit trail.
>>
>> ----
>> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
>> 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052
>> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
>> obj=siterep_u:object_r:device_t:s15:c0.c1023
>> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
>> 10:31:40.907:208246) :  cwd=/home/siterep1
>> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
>> 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes
>> exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1
>> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
>> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
>> ses=1 comm=lvconvert exe=/sbin/lvm
>> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
>> node=develop.local.austin.rr.com type=SELINUX_ERR  
>> msg=audit(05/27/2009
>> 10:31:40.907:208246) : security_validate_transition:  denied for
>> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
>> newcontext=system_u:object_r:device_t:s0
>> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
>> ----
>> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
>> 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108
>> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
>> obj=siterep_u:object_r:device_t:s15:c0.c1023
>> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
>> 10:31:40.908:208247) :  cwd=/home/siterep1
>> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
>> 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes
>> exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1
>> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
>> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
>> ses=1 comm=lvconvert exe=/sbin/lvm
>> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
>> node=develop.local.austin.rr.com type=SELINUX_ERR  
>> msg=audit(05/27/2009
>> 10:31:40.908:208247) : security_validate_transition:  denied for
>> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
>> newcontext=system_u:object_r:device_t:s0
>> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
>> ----
>> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
>> 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142
>> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
>> obj=siterep_u:object_r:device_t:s15:c0.c1023
>> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
>> 10:31:40.983:208258) :  cwd=/home/siterep1
>> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
>> 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes
>> exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1
>> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
>> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
>> ses=1 comm=lvconvert exe=/sbin/lvm
>> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
>> node=develop.local.austin.rr.com type=SELINUX_ERR  
>> msg=audit(05/27/2009
>> 10:31:40.983:208258) : security_validate_transition:  denied for
>> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
>> newcontext=system_u:object_r:device_t:s0
>> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
>> ----
>> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
>> 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145
>> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
>> obj=siterep_u:object_r:device_t:s15:c0.c1023
>> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
>> 10:31:40.984:208260) :  cwd=/home/siterep1
>> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
>> 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes
>> exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1
>> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
>> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
>> ses=1 comm=lvconvert exe=/sbin/lvm
>> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
>> node=develop.local.austin.rr.com type=SELINUX_ERR  
>> msg=audit(05/27/2009
>> 10:31:40.984:208260) : security_validate_transition:  denied for
>> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
>> newcontext=system_u:object_r:device_t:s0
>> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
>> ----
>>
>> There are no AVCs associated with the error and I am using the
>> following policy statements ( where jcdx_fsbackup_t is the domain  
>> type
>> of the entire script)
>>
>> lvm_domtrans(jcdx_fsbackup_t)
>> mls_file_write_all_levels(lvm_t)
>> allow lvm_t lvm_control_t:chr_file write;
>> allow lvm_t lvm_lock_t:dir { write remove_name add_name };
>> allow lvm_t lvm_metadata_t:dir { write remove_name add_name };
>>
>> At this point the script is
>>
>> ----------
>> #!/bin/bash
>>
>> /sbin/lvconvert -s vg00/root snap
>> ----------
>>
>> The policy is selinux-policy-3.5.13-57.fc10,
>>
>> A push in the right direction would be appreciated.
>>
>
> you need to add a rule that allows lvm_t to inherit the siterep_r  
> role:
>
> role siterep_r types lvm_t;
>
>> --
>>
>> "THIS time it really is fixed. I mean, how many times can we get it
>> wrong? At some point, we just have to run out of bad ideas.."
>>
>> Linus Torvalds
>>
>>
>>
>> Nickolas Gray
>> nick at magitek.ltd
>>
>>
>>
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--

"THIS time it really is fixed. I mean, how many times can we get it  
wrong? At some point, we just have to run out of bad ideas.."

Linus Torvalds



Nickolas Gray
nick at magitek.ltd

More information about the selinux mailing list