Dominic, Stephan
Thanks for the input. Let me digest this and I may have more questions.
On May 28, 2009, at 7:19 AM, Dominick Grift wrote:
On Wed, 2009-05-27 at 18:33 -0500, Nickolas Gray wrote:
I am trying to run the "lvconvert" command in enforcing and cannot
determine how to do it.
I am using the domain type lvm_t and running lvconvert inside a bash
script. The command works in permissive but fails in enforcing.
with the following audit trail.
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
10:31:40.907:208246) : cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes
exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
ses=1 comm=lvconvert exe=/sbin/lvm
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR
msg=audit(05/27/2009
10:31:40.907:208246) : security_validate_transition: denied for
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:device_t:s0
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
10:31:40.908:208247) : cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes
exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
ses=1 comm=lvconvert exe=/sbin/lvm
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR
msg=audit(05/27/2009
10:31:40.908:208247) : security_validate_transition: denied for
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:device_t:s0
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
10:31:40.983:208258) : cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes
exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
ses=1 comm=lvconvert exe=/sbin/lvm
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR
msg=audit(05/27/2009
10:31:40.983:208258) : security_validate_transition: denied for
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:device_t:s0
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009
10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145
dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00
obj=siterep_u:object_r:device_t:s15:c0.c1023
node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009
10:31:40.984:208260) : cwd=/home/siterep1
node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009
10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes
exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1
ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root
suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7
ses=1 comm=lvconvert exe=/sbin/lvm
subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null)
node=develop.local.austin.rr.com type=SELINUX_ERR
msg=audit(05/27/2009
10:31:40.984:208260) : security_validate_transition: denied for
oldcontext=siterep_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:device_t:s0
taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
----
There are no AVCs associated with the error and I am using the
following policy statements ( where jcdx_fsbackup_t is the domain
type
of the entire script)
lvm_domtrans(jcdx_fsbackup_t)
mls_file_write_all_levels(lvm_t)
allow lvm_t lvm_control_t:chr_file write;
allow lvm_t lvm_lock_t:dir { write remove_name add_name };
allow lvm_t lvm_metadata_t:dir { write remove_name add_name };
At this point the script is
----------
#!/bin/bash
/sbin/lvconvert -s vg00/root snap
----------
The policy is selinux-policy-3.5.13-57.fc10,
A push in the right direction would be appreciated.
you need to add a rule that allows lvm_t to inherit the siterep_r
role:
role siterep_r types lvm_t;
--
"THIS time it really is fixed. I mean, how many times can we get it
wrong? At some point, we just have to run out of bad ideas.."
Linus Torvalds
Nickolas Gray
nick@xxxxxxxxxxx
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
"THIS time it really is fixed. I mean, how many times can we get it
wrong? At some point, we just have to run out of bad ideas.."
Linus Torvalds
Nickolas Gray
nick@xxxxxxxxxxx
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
