| Summary: | lvm init script fails with SELinux - error: LVM failed to start | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Sven Vermeulen (RETIRED) <swift> |
| Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | selinux |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Hi,
I have same issue. With SELinux enforcing all the volumes (except root, because it activated by initramfs/dracut) does not activated.
Is any progress with the policy update?
[Fri Feb 2 09:51:12 2018] audit: type=1400 audit(1517554271.036:1204): avc: denied { open } for pid=7269 comm="lvm" path="pipe:[42300]" dev="pipefs" ino=42300 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=fifo_file permissive=0
[Fri Feb 2 09:53:04 2018] audit: type=1400 audit(1517554382.781:1213): avc: denied { open } for pid=7412 comm="lvm" path="pipe:[39305]" dev="pipefs" ino=39305 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=fifo_file permissive=0
[Fri Feb 2 09:53:33 2018] audit: type=1400 audit(1517554411.723:1218): avc: denied { open } for pid=7729 comm="lvm" path="pipe:[41362]" dev="pipefs" ino=41362 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=fifo_file permissive=0
+ ebegin 'Setting up the Logical Volume Manager'
* Setting up the Logical Volume Manager ...
+ lvm_commands='#! /sbin/lvm --config '\''global { locking_dir = "/run/lock/lvm" }'\''\n'
+ lvm_commands='#! /sbin/lvm --config '\''global { locking_dir = "/run/lock/lvm" }'\''\npvscan\n'
+ lvm_commands='#! /sbin/lvm --config '\''global { locking_dir = "/run/lock/lvm" }'\''\npvscan\nvgscan --mknodes\n'
+ lvm_commands='#! /sbin/lvm --config '\''global { locking_dir = "/run/lock/lvm" }'\''\npvscan\nvgscan --mknodes\nvgchange --sysinit -a ly\n'
+ printf '%b\n' '#! /sbin/lvm --config '\''global { locking_dir = "/run/lock/lvm" }'\''\npvscan\nvgscan --mknodes\nvgchange --sysinit -a ly\n'
+ /sbin/lvm /proc/self/fd/0 --config 'global { locking_dir = "/run/lock/lvm" }'
File descriptor 10 (/dev/pts/1) leaked on lvm invocation. Parent PID 7701: /bin/sh
No such command. Try 'help'.
+ eend 2 'Failed to setup the LVM'
* Failed to setup the LVM
[ !! ]
+ exit 2
* ERROR: lvm failed to start
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d47c34f5d993c54990c4a9504950b880dcc3145d commit d47c34f5d993c54990c4a9504950b880dcc3145d Author: Jason Zaman <jason@perfinion.com> AuthorDate: 2018-06-07 10:38:57 +0000 Commit: Jason Zaman <jason@perfinion.com> CommitDate: 2018-06-08 11:10:51 +0000 lvm: allow reading initrc pipes Bug: https://bugs.gentoo.org/615300 policy/modules/system/init.if | 18 ++++++++++++++++++ policy/modules/system/lvm.te | 5 ++++- 2 files changed, 22 insertions(+), 1 deletion(-) in 2.20180114-r3 |
When starting Gentoo Hardened/SELinux, the LVM service fails to start. I didn't capture the output on the screen (only have daemon.log and audit.log), but the important audit.log entry here is: type=AVC msg=audit(1491933674.154:178): avc: denied { open } for pid=1898 comm="lvm" path="pipe:[525]" dev="pipefs" ino=525 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=fifo_file permissive=0 The following SELinux policy rule fixes this: allow lvm_t initrc_t:fifo_file read_fifo_file_perms; Need to figure out where to add it back to the policy. Without it, the LVM init script (which runs in initrc_t domain) quits before effectively executing the necessary lvm logic.