542110 – Innocent domains trying to search cgroups location (/sys/fs/cgroups)

Bug 542110 - Innocent domains trying to search cgroups location (/sys/fs/cgroups)

Summary: Innocent domains trying to search cgroups location (/sys/fs/cgroups)

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-03-04 15:23 UTC by Sven Vermeulen (RETIRED)
Modified:	2015-03-04 15:23 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2015-03-04 15:23:18 UTC

Copy from bug #535992:

Jan  8 01:37:29 testbed kernel: [28549.837071] audit: type=1400 audit(1420702649.391:1264): avc:  denied  { search } for  pid=10336 comm="lvcreate" name="/" dev="tmpfs" ino=5425 ipaddr=173.173.113.156 scontext=root:sysadm_r:lvm_t tcontext=system_u:object_r:cgroup_t tclass=dir permissive=1

There is no direct reason why LVM utilities would search through cgroup location (the node that the denial mentions is /sys/fs/cgroup). A grep through the LVM2 sources does not talk about cgroups.

This might be glibc related, but the glibc code does not often talk about cgroups and it is not clear to me when or why it would occur.

Reproducible: Always