When starting Gentoo Hardened/SELinux, the LVM service fails to start. I didn't capture the output on the screen (only have daemon.log and audit.log), but the important audit.log entry here is: type=AVC msg=audit(1491933674.154:178): avc: denied { open } for pid=1898 comm="lvm" path="pipe:[525]" dev="pipefs" ino=525 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=fifo_file permissive=0 The following SELinux policy rule fixes this: allow lvm_t initrc_t:fifo_file read_fifo_file_perms; Need to figure out where to add it back to the policy. Without it, the LVM init script (which runs in initrc_t domain) quits before effectively executing the necessary lvm logic.
Hi, I have same issue. With SELinux enforcing all the volumes (except root, because it activated by initramfs/dracut) does not activated. Is any progress with the policy update? [Fri Feb 2 09:51:12 2018] audit: type=1400 audit(1517554271.036:1204): avc: denied { open } for pid=7269 comm="lvm" path="pipe:[42300]" dev="pipefs" ino=42300 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=fifo_file permissive=0 [Fri Feb 2 09:53:04 2018] audit: type=1400 audit(1517554382.781:1213): avc: denied { open } for pid=7412 comm="lvm" path="pipe:[39305]" dev="pipefs" ino=39305 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=fifo_file permissive=0 [Fri Feb 2 09:53:33 2018] audit: type=1400 audit(1517554411.723:1218): avc: denied { open } for pid=7729 comm="lvm" path="pipe:[41362]" dev="pipefs" ino=41362 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=fifo_file permissive=0 + ebegin 'Setting up the Logical Volume Manager' * Setting up the Logical Volume Manager ... + lvm_commands='#! /sbin/lvm --config '\''global { locking_dir = "/run/lock/lvm" }'\''\n' + lvm_commands='#! /sbin/lvm --config '\''global { locking_dir = "/run/lock/lvm" }'\''\npvscan\n' + lvm_commands='#! /sbin/lvm --config '\''global { locking_dir = "/run/lock/lvm" }'\''\npvscan\nvgscan --mknodes\n' + lvm_commands='#! /sbin/lvm --config '\''global { locking_dir = "/run/lock/lvm" }'\''\npvscan\nvgscan --mknodes\nvgchange --sysinit -a ly\n' + printf '%b\n' '#! /sbin/lvm --config '\''global { locking_dir = "/run/lock/lvm" }'\''\npvscan\nvgscan --mknodes\nvgchange --sysinit -a ly\n' + /sbin/lvm /proc/self/fd/0 --config 'global { locking_dir = "/run/lock/lvm" }' File descriptor 10 (/dev/pts/1) leaked on lvm invocation. Parent PID 7701: /bin/sh No such command. Try 'help'. + eend 2 'Failed to setup the LVM' * Failed to setup the LVM [ !! ] + exit 2 * ERROR: lvm failed to start
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d47c34f5d993c54990c4a9504950b880dcc3145d commit d47c34f5d993c54990c4a9504950b880dcc3145d Author: Jason Zaman <jason@perfinion.com> AuthorDate: 2018-06-07 10:38:57 +0000 Commit: Jason Zaman <jason@perfinion.com> CommitDate: 2018-06-08 11:10:51 +0000 lvm: allow reading initrc pipes Bug: https://bugs.gentoo.org/615300 policy/modules/system/init.if | 18 ++++++++++++++++++ policy/modules/system/lvm.te | 5 ++++- 2 files changed, 22 insertions(+), 1 deletion(-)
in 2.20180114-r3
