On Wed, 2009-05-27 at 18:33 -0500, Nickolas Gray wrote:
> I am trying to run the "lvconvert" command in enforcing and cannot
> determine how to do it.
>
> I am using the domain type lvm_t and running lvconvert inside a bash
> script. The command works in permissive but fails in enforcing.
>
> with the following audit trail.
>
> ----
> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
> 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052
> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
> obj=siterep_u:object_r:device_t:s15:c0.c1023
> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
> 10:31:40.907:208246) : cwd=/home/siterep1
> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
> 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes
> exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1
> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
> ses=1 comm=lvconvert exe=/sbin/lvm
> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
> node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009
> 10:31:40.907:208246) : security_validate_transition: denied for
> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
> newcontext=system_u:object_r:device_t:s0
> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
You are violating a MLS validatetrans constraint (in policy/mls) that
restricts the ability to relabel a file to a different level unless the
calling domain has the appropriate type attribute.
In this case, you are downgrading the device from s15:c0.c1023
(systemhigh) to s0 (systemlow).
If you want lvm to be able to do that, you'd have to give it
mlsfiledowngrade, i.e.
$ cat lvmmls.te
policy_module(lvmmls, 1.0)
require {
type lvm_t;
}
mls_file_downgrade(lvm_t)
$ make -f /usr/share/selinux/devel/Makefile lvmmls.pp
$ sudo semodule -i lvmmls.pp
> ----
> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
> 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108
> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
> obj=siterep_u:object_r:device_t:s15:c0.c1023
> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
> 10:31:40.908:208247) : cwd=/home/siterep1
> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
> 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes
> exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1
> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
> ses=1 comm=lvconvert exe=/sbin/lvm
> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
> node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009
> 10:31:40.908:208247) : security_validate_transition: denied for
> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
> newcontext=system_u:object_r:device_t:s0
> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
> ----
> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
> 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142
> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
> obj=siterep_u:object_r:device_t:s15:c0.c1023
> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
> 10:31:40.983:208258) : cwd=/home/siterep1
> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
> 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes
> exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1
> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
> ses=1 comm=lvconvert exe=/sbin/lvm
> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
> node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009
> 10:31:40.983:208258) : security_validate_transition: denied for
> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
> newcontext=system_u:object_r:device_t:s0
> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
> ----
> node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
> 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145
> dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
> obj=siterep_u:object_r:device_t:s15:c0.c1023
> node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
> 10:31:40.984:208260) : cwd=/home/siterep1
> node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
> 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes
> exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1
> ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
> suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
> ses=1 comm=lvconvert exe=/sbin/lvm
> subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
> node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009
> 10:31:40.984:208260) : security_validate_transition: denied for
> oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
> newcontext=system_u:object_r:device_t:s0
> taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
> ----
>
> There are no AVCs associated with the error and I am using the
> following policy statements ( where jcdx_fsbackup_t is the domain type
> of the entire script)
>
> lvm_domtrans(jcdx_fsbackup_t)
> mls_file_write_all_levels(lvm_t)
> allow lvm_t lvm_control_t:chr_file write;
> allow lvm_t lvm_lock_t:dir { write remove_name add_name };
> allow lvm_t lvm_metadata_t:dir { write remove_name add_name };
>
> At this point the script is
>
> ----------
> #!/bin/bash
>
> /sbin/lvconvert -s vg00/root snap
> ----------
>
> The policy is selinux-policy-3.5.13-57.fc10,
>
> A push in the right direction would be appreciated.
>
>
> --
>
> "THIS time it really is fixed. I mean, how many times can we get it
> wrong? At some point, we just have to run out of bad ideas.."
>
> Linus Torvalds
>
>
>
> Nickolas Gray
> nick@xxxxxxxxxxx
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
