Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 173030 - (selinux) swapon wants to write /etc/blkid.tab
Summary: (selinux) swapon wants to write /etc/blkid.tab
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: FC5Target
TreeView+ depends on / blocked
 
Reported: 2005-11-12 18:49 UTC by Nicolas Mailhot
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-11-14 20:59:26 UTC


Attachments (Terms of Use)

Description Nicolas Mailhot 2005-11-12 18:49:55 UTC
Description of problem:

It seems that swapon needs write access to /etc/blkid.tab and is blocked by the
default policy 

audit(1131812561.197:2): avc:  denied  { write } for  pid=1234 comm="swapon"
name="blkid.tab" dev=dm-0 ino=1999275 scontext=system_u:system_r:fsadm_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
audit(1131812561.197:3): avc:  denied  { write } for  pid=1234 comm="swapon"
name="blkid.tab" dev=dm-0 ino=1999275 scontext=system_u:system_r:fsadm_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
Adding 2096472k swap on /dev/sda2.  Priority:-1 extents:1 across:2096472k
audit(1131812561.209:4): avc:  denied  { write } for  pid=1234 comm="swapon"
name="blkid.tab" dev=dm-0 ino=1999275 scontext=system_u:system_r:fsadm_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
audit(1131812561.213:5): avc:  denied  { write } for  pid=1234 comm="swapon"
name="blkid.tab" dev=dm-0 ino=1999275 scontext=system_u:system_r:fsadm_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
Adding 2096472k swap on /dev/sdb2.  Priority:-2 extents:1 across:2096472k

selinux-policy-targeted-1.27.2-19

(CCing Karel Zak and Ben Levenson so they can confirm swapon needs)

Comment 1 Karel Zak 2005-11-14 08:32:28 UTC
Yes, add commands compiled with libblkid (swapon, swapoff, mount, fsck.ext2,
...) need write access to /etc/blkid.tab. 

Comment 2 Daniel Walsh 2005-11-14 16:06:26 UTC
/etc/blkid.tab should have a security context of etc_runtime_t on it.  You can
fix this by executing

restorecon /etc/blklid.tab

The question is how did it get this bad context?  Do you know which app created
this file?  Did you boot with selinux disabled?  selinux=0?



Comment 3 Nicolas Mailhot 2005-11-14 18:10:39 UTC
I ran for ~ 15min with selinux disabled to do a yum upgrade (policy changes
broke rpm sciplets this week) Also the lvm which contains the / was moved to na
new raid (lvm commands executed from the FC4 install disk manually), so maybe
that's the root of the problem

Should I do a restorecon / ?

Comment 4 Daniel Walsh 2005-11-14 19:25:11 UTC
touch /.autorelabel
reboot 

is a better idea.

Comment 5 Nicolas Mailhot 2005-11-14 20:59:26 UTC
Ok, this works
Sorry for bothering you - will be more careful next time I move a LVM


Note You need to log in before you can comment on or make changes to this bug.