Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 455784 - AVC denies Conga from using storage in permissive mode
Summary: AVC denies Conga from using storage in permissive mode
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.2
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2008-07-17 18:29 UTC by Shane Bradley
Modified: 2018-10-20 03:19 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-01-20 21:30:18 UTC
Target Upstream Version:

Attachments (Terms of Use)
selinux module for conga (deleted)
2008-07-17 18:33 UTC, Shane Bradley
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0163 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2009-01-20 16:05:21 UTC

Description Shane Bradley 2008-07-17 18:29:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061712 Fedora/3.0-1.fc9 Firefox/3.0

Description of problem:
In the Conga web interface, clicking on the storage tab and then selecting an invidual node produces the error "An error has occurred while probing storage: Host responded: clvmd failed to start". This happens whether clvmd is running or stopped.  AVC denials are printed to /var/log/audit/audit.log when this happens:

   type=AVC msg=audit(1216231268.723:40): avc:  denied  { execute } for  pid=2832 comm="ricci-modstorag" name="bash" dev=dm-0 ino=356974 scontext=system_u:system_r:ricci_modstorage_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Turning on setroubleshootd and grabbing the details with sealert provides the specifics that I've attached.  Setting SELinux to permissive works around the problem

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1) Set selinux enforcing
2) Open Conga interface, adding storage nodes if needed
3) Click storage tab at top
4) In the "Storage" navigation menu, select a node that has SELinux enforcing

Actual Results:
Error message stating: "An error has occurred while probing storage: Host responded: clvmd failed to start".  Clicking OK takes you back to the previous page

Expected Results:
Conga should be able to probe storage successfully with SELinux enforcing.

Additional info:

Comment 1 Shane Bradley 2008-07-17 18:33:27 UTC
Created attachment 312070 [details]
selinux module for conga

Comment 2 Shane Bradley 2008-07-17 18:34:04 UTC
An attempt to create a module based on denials failed as well:
I started with a fresh system and still could not get it working.  Procedure:

-Cause the Conga failure by clicking on a node in the storage tab
-Create a new policy:

  # grep AVC /var/log/audit/audit.log | audit2allow myricci
-Unload the old myricci (if loaded) and load the new one  

After each trial there would be new denials so I would repeat the process which
eventually lead me to the attached myricci2.te.  Everytime I would compare the
old .te to the new one and eventually there were no differences showing up,
meaning there weren't any new denials.  I also tried

   # semodule -b /usr/share/selinux/targeted/enableaudit.pp

per dwalsh's recommendations but no new denials were printed.  

I am also attaching the audit.log from this test showing all the denials that


Comment 3 Daniel Walsh 2008-07-17 18:38:42 UTC
Fixed in selinux-policy-2.4.6-142

Comment 4 RHEL Product and Program Management 2008-07-17 18:41:30 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 9 Daniel Walsh 2008-07-24 14:05:12 UTC
selinux-policy-2.4.6-142 is now available for preview testing at

Comment 15 errata-xmlrpc 2009-01-20 21:30:18 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.