I am trying to run the "lvconvert" command in enforcing and cannot determine how to do it.
I am using the domain type lvm_t and running lvconvert inside a bash script. The command works in permissive but fails in enforcing.
with the following audit trail.
---- node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.907:208246) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.907:208246) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file ---- node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.908:208247) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.908:208247) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file ---- node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.983:208258) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.983:208258) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file ---- node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.984:208260) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.984:208260) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file ----
There are no AVCs associated with the error and I am using the following policy statements ( where jcdx_fsbackup_t is the domain type of the entire script)
lvm_domtrans(jcdx_fsbackup_t) mls_file_write_all_levels(lvm_t) allow lvm_t lvm_control_t:chr_file write; allow lvm_t lvm_lock_t:dir { write remove_name add_name }; allow lvm_t lvm_metadata_t:dir { write remove_name add_name };
At this point the script is
---------- #!/bin/bash
/sbin/lvconvert -s vg00/root snap ----------
The policy is selinux-policy-3.5.13-57.fc10,
A push in the right direction would be appreciated.
--
"THIS time it really is fixed. I mean, how many times can we get it wrong? At some point, we just have to run out of bad ideas.."
Linus Torvalds
Nickolas Gray nick@magitek.ltd
On Wed, 2009-05-27 at 18:33 -0500, Nickolas Gray wrote:
I am trying to run the "lvconvert" command in enforcing and cannot determine how to do it.
I am using the domain type lvm_t and running lvconvert inside a bash script. The command works in permissive but fails in enforcing.
with the following audit trail.
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.907:208246) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.907:208246) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.908:208247) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.908:208247) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.983:208258) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.983:208258) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.984:208260) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.984:208260) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
There are no AVCs associated with the error and I am using the following policy statements ( where jcdx_fsbackup_t is the domain type of the entire script)
lvm_domtrans(jcdx_fsbackup_t) mls_file_write_all_levels(lvm_t) allow lvm_t lvm_control_t:chr_file write; allow lvm_t lvm_lock_t:dir { write remove_name add_name }; allow lvm_t lvm_metadata_t:dir { write remove_name add_name };
At this point the script is
#!/bin/bash
/sbin/lvconvert -s vg00/root snap
The policy is selinux-policy-3.5.13-57.fc10,
A push in the right direction would be appreciated.
you need to add a rule that allows lvm_t to inherit the siterep_r role:
role siterep_r types lvm_t;
--
"THIS time it really is fixed. I mean, how many times can we get it wrong? At some point, we just have to run out of bad ideas.."
Linus Torvalds
Nickolas Gray nick@magitek.ltd
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Dominic, Stephan
Thanks for the input. Let me digest this and I may have more questions.
On May 28, 2009, at 7:19 AM, Dominick Grift wrote:
On Wed, 2009-05-27 at 18:33 -0500, Nickolas Gray wrote:
I am trying to run the "lvconvert" command in enforcing and cannot determine how to do it.
I am using the domain type lvm_t and running lvconvert inside a bash script. The command works in permissive but fails in enforcing.
with the following audit trail.
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.907:208246) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.907:208246) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.908:208247) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.908:208247) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.983:208258) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.983:208258) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.984:208260) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.984:208260) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
There are no AVCs associated with the error and I am using the following policy statements ( where jcdx_fsbackup_t is the domain type of the entire script)
lvm_domtrans(jcdx_fsbackup_t) mls_file_write_all_levels(lvm_t) allow lvm_t lvm_control_t:chr_file write; allow lvm_t lvm_lock_t:dir { write remove_name add_name }; allow lvm_t lvm_metadata_t:dir { write remove_name add_name };
At this point the script is
#!/bin/bash
/sbin/lvconvert -s vg00/root snap
The policy is selinux-policy-3.5.13-57.fc10,
A push in the right direction would be appreciated.
you need to add a rule that allows lvm_t to inherit the siterep_r role:
role siterep_r types lvm_t;
--
"THIS time it really is fixed. I mean, how many times can we get it wrong? At some point, we just have to run out of bad ideas.."
Linus Torvalds
Nickolas Gray nick@magitek.ltd
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
"THIS time it really is fixed. I mean, how many times can we get it wrong? At some point, we just have to run out of bad ideas.."
Linus Torvalds
Nickolas Gray nick@magitek.ltd
On Wed, 2009-05-27 at 18:33 -0500, Nickolas Gray wrote:
I am trying to run the "lvconvert" command in enforcing and cannot determine how to do it.
I am using the domain type lvm_t and running lvconvert inside a bash script. The command works in permissive but fails in enforcing.
with the following audit trail.
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.907:208246) : item=0 name=/dev/vg00/root inode=813052 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.907:208246) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.907:208246) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9ad16c0 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.907:208246) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
You are violating a MLS validatetrans constraint (in policy/mls) that restricts the ability to relabel a file to a different level unless the calling domain has the appropriate type attribute.
In this case, you are downgrading the device from s15:c0.c1023 (systemhigh) to s0 (systemlow).
If you want lvm to be able to do that, you'd have to give it mlsfiledowngrade, i.e. $ cat lvmmls.te policy_module(lvmmls, 1.0) require { type lvm_t; } mls_file_downgrade(lvm_t) $ make -f /usr/share/selinux/devel/Makefile lvmmls.pp $ sudo semodule -i lvmmls.pp
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.908:208247) : item=0 name=/dev/vg00/snap inode=813108 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.908:208247) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.908:208247) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27a20 a1=7f97ca9034b9 a2=7f97c9acc480 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.908:208247) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.983:208258) : item=0 name=/dev/vg00/root inode=813142 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.983:208258) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.983:208258) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c4556b10 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.983:208258) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
node=develop.local.austin.rr.com type=PATH msg=audit(05/27/2009 10:31:40.984:208260) : item=0 name=/dev/vg00/snap inode=813145 dev=00:0f mode=link,777 ouid=root ogid=siterep rdev=00:00 obj=siterep_u:object_r:device_t:s15:c0.c1023 node=develop.local.austin.rr.com type=CWD msg=audit(05/27/2009 10:31:40.984:208260) : cwd=/home/siterep1 node=develop.local.austin.rr.com type=SYSCALL msg=audit(05/27/2009 10:31:40.984:208260) : arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7fffd2b27b30 a1=7f97ca9034b9 a2=7f97c455dc90 a3=1e items=1 ppid=9777 pid=9820 auid=siterep1 uid=root gid=siterep euid=root suid=root fsuid=root egid=siterep sgid=siterep fsgid=siterep tty=pts7 ses=1 comm=lvconvert exe=/sbin/lvm subj=siterep_u:siterep_r:lvm_t:s15:c0.c1023 key=(null) node=develop.local.austin.rr.com type=SELINUX_ERR msg=audit(05/27/2009 10:31:40.984:208260) : security_validate_transition: denied for oldcontext=siterep_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=siterep_u:siterep_r:lvm_t:s15:c0.c1023 tclass=lnk_file
There are no AVCs associated with the error and I am using the following policy statements ( where jcdx_fsbackup_t is the domain type of the entire script)
lvm_domtrans(jcdx_fsbackup_t) mls_file_write_all_levels(lvm_t) allow lvm_t lvm_control_t:chr_file write; allow lvm_t lvm_lock_t:dir { write remove_name add_name }; allow lvm_t lvm_metadata_t:dir { write remove_name add_name };
At this point the script is
#!/bin/bash
/sbin/lvconvert -s vg00/root snap
The policy is selinux-policy-3.5.13-57.fc10,
A push in the right direction would be appreciated.
--
"THIS time it really is fixed. I mean, how many times can we get it wrong? At some point, we just have to run out of bad ideas.."
Linus Torvalds
Nickolas Gray nick@magitek.ltd
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org