[DSE-Dev] Bug#781571: selinux-policy-default: lvcreate hangs when SELinux is set to enforcing

Andreas Florath andre at florath.net
Tue Mar 31 06:10:29 UTC 2015

Package: selinux-policy-default
Version: 2:2.20140421-9
Justification: renders package unusable
Severity: grave

Dear Maintainer,


    # lvcreate -l "100%FREE" -n 00 bak00

hangs forever when SELinux is set to enforcing.  Because the command
never returns it is unclear if the operation was successful or not;
whether or not data was written to disk (which might corrupt
the LVM data on disk).

The following AVC is logged:

type=AVC msg=audit(1427722098.297:76): avc:  denied  { associate } for  pid=1178 comm="dmsetup" key=223152149  scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem permissive=0
type=SYSCALL msg=audit(1427722098.297:76): arch=c000003e syscall=64 success=no exit=-13 a0=d4d0815 a1=1 a2=0 a3=7ffe6908a9d0 items=0 ppid=1173 pid=1178 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0-s0:c0.c1023 key=(null)

Exactly the same happens when executing

    # cryptsetup luksOpen /dev/mapper/bak00-00 uencbak00

Also hangs; same AVCs.

I set the severity to 'grave' because two important commands
(lvcreate / cryptsetup) do not work when SELinux is enabled
with the current default policy;
LVM is installed in more than 25% of all systems
Also it is unclear if data is (partially) written to disk
that might corrupt the data structures on disk.

If you want I can start a root cause analysis - if you want
I can try to generate a patch: just drop me a short note.

Kind regards


P.S.: Version information
||/ Name                              Version               Architecture          Description
ii  cryptsetup-bin                    2:1.6.6-5             amd64                 disk encryption support - command line tools
ii  lvm2                              2.02.111-2.1          amd64                 Linux Logical Volume Manager

-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3.1
ii  libselinux1      2.3-2
ii  libsepol1        2.3-2
ii  policycoreutils  2.3-1
ii  python           2.7.9-1
ii  selinux-utils    2.3-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools      3.3.8-3.1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

More information about the SELinux-devel mailing list