437220 – sys-fs/lvm2-2.02.88 with SELinux 2.20120725-r5: unable to use 'lvcreate'

Bug 437220 - sys-fs/lvm2-2.02.88 with SELinux 2.20120725-r5: unable to use 'lvcreate'

Summary: sys-fs/lvm2-2.02.88 with SELinux 2.20120725-r5: unable to use 'lvcreate'

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r7
Keywords:

Depends on:
Blocks:

Reported:	2012-10-04 18:17 UTC by Vincent Brillault
Modified:	2012-12-13 10:10 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vincent Brillault 2012-10-04 18:17:31 UTC

lvcreate doesn't work with SELinux strict enabled and enforced:

 # lvcreate --size 1G --name portage vg
  /dev/vg/portage: not found: device not cleared
  Aborting. Failed to wipe start of new LV.
 # setenforce 0
 # lvcreate --size 1G --name  webrsync vg
  Logical volume "webrsync" created
 # setenforce 1
 # ls /dev/vg/
  webrsync@

AVCs during the first lvcreate (enforcing):

Oct  3 14:29:09 **** kernel: [163112.591488] type=1400 audit(1349267349.068:365): avc:  denied  { read } for  pid=551 comm="lvcreate" name="queue.bin"
dev="tmpfs" ino=6565 ipaddr=194.29.25.170 scontext=staff_u:sysadm_r:lvm_t tcontext=system_u:object_r:udev_var_run_t tclass=file
Oct  3 14:29:09 **** kernel: [163113.025760] type=1400 audit(1349267349.502:366): avc:  denied  { read } for  pid=551 comm="lvcreate" name="queue.bin"
dev="tmpfs" ino=6565 ipaddr=194.29.25.170 scontext=staff_u:sysadm_r:lvm_t tcontext=system_u:object_r:udev_var_run_t tclass=file
Oct  3 14:29:09 **** kernel: [163113.028051] type=1400 audit(1349267349.504:367): avc:  denied  { setattr } for  pid=9 comm="kdevtmpfs" name="dm-3"
dev="devtmpfs" ino=391246 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t tclass=blk_file
Oct  3 14:29:09 **** kernel: [163113.101314] type=1400 audit(1349267349.578:368): avc:  denied  { block_suspend } for  pid=2215 comm="udevd" capability=36
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability2
Oct  3 14:29:09 **** kernel: [163113.118714] type=1400 audit(1349267349.595:369): avc:  denied  { block_suspend } for  pid=2215 comm="udevd" capability=36
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability2
Oct  3 14:29:09 **** kernel: [163113.124285] type=1400 audit(1349267349.601:370): avc:  denied  { getattr } for  pid=9 comm="kdevtmpfs" path="/dm-3"
dev="devtmpfs" ino=391246 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
Oct  3 14:29:09 **** kernel: [163113.283173] type=1400 audit(1349267349.760:371): avc:  denied  { block_suspend } for  pid=2215 comm="udevd" capability=36
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability2
Oct  3 14:29:09 **** kernel: [163113.382246] type=1400 audit(1349267349.859:372): avc:  denied  { block_suspend } for  pid=2216 comm="udevd" capability=36
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability2


AVCs in permissive (second call):

Oct  3 14:29:34 **** kernel: [163137.820390] type=1400 audit(1349267374.297:374): avc:  denied  { read } for  pid=562 comm="lvcreate" name="queue.bin"
dev="tmpfs" ino=391271 ipaddr=194.29.25.170 scontext=staff_u:sysadm_r:lvm_t tcontext=system_u:object_r:udev_var_run_t tclass=file
Oct  3 14:29:34 **** kernel: [163137.820422] type=1400 audit(1349267374.297:375): avc:  denied  { open } for  pid=562 comm="lvcreate" path="/run/udev/queue.bin"
dev="tmpfs" ino=391271 ipaddr=194.29.25.170 scontext=staff_u:sysadm_r:lvm_t tcontext=system_u:object_r:udev_var_run_t tclass=file
Oct  3 14:29:34 **** kernel: [163137.820456] type=1400 audit(1349267374.297:376): avc:  denied  { getattr } for  pid=562 comm="lvcreate"
path="/run/udev/queue.bin" dev="tmpfs" ino=391271 ipaddr=194.29.25.170 scontext=staff_u:sysadm_r:lvm_t tcontext=system_u:object_r:udev_var_run_t tclass=file
Oct  3 14:29:34 **** kernel: [163138.172878] type=1400 audit(1349267374.649:377): avc:  denied  { setattr } for  pid=9 comm="kdevtmpfs" name="dm-3"
dev="devtmpfs" ino=391296 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t tclass=blk_file
Oct  3 14:29:34 **** kernel: [163138.217139] type=1400 audit(1349267374.694:378): avc:  denied  { block_suspend } for  pid=2215 comm="udevd" capability=36
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=capability2
Oct  3 14:29:34 **** kernel: [163138.303164] type=1400 audit(1349267374.780:379): avc:  denied  { read } for  pid=567 comm="dmsetup" name="queue.bin"
dev="tmpfs" ino=391299 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:udev_var_run_t tclass=file
Oct  3 14:29:34 **** kernel: [163138.303196] type=1400 audit(1349267374.780:380): avc:  denied  { open } for  pid=567 comm="dmsetup" path="/run/udev/queue.bin"
dev="tmpfs" ino=391299 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:udev_var_run_t tclass=file
Oct  3 14:29:34 **** kernel: [163138.303228] type=1400 audit(1349267374.780:381): avc:  denied  { getattr } for  pid=567 comm="dmsetup"
path="/run/udev/queue.bin" dev="tmpfs" ino=391299 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:udev_var_run_t tclass=file

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-12 22:01:03 UTC

committed to the repo (live ebuilds) and will be part of r7

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-14 21:10:11 UTC

r7 is now in hardened-dev

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-18 15:26:08 UTC

In main tree, ~arch'ed

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-12-13 10:10:03 UTC

r8 is now stable