SELinux blocks LVM access to `rhsmd`

Posted on

I'm not sure if this is the intended behavior. I had a trial to RHEVM for 60 days. I never even used it, but that's beside the point. After the trial subscription expired, running

subscription-manager clean
subscription-manager register

and removing all other systems via redhat.com customer portal, the following SELinux notifications started showing:

```
setroubleshoot[14817]: SELinux is preventing /usr/bin/python2.7 from read access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs. For complete SELinux messages. run sealert -l 4f17ac6c-8357-412c-84ec-e40243512ebe
python[14817]: SELinux is preventing /usr/bin/python2.7 from read access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs.

           *****  Plugin catchall (100. confidence) suggests   **************************

           If you believe that python2.7 should be allowed read access on the file_contexts.subs file by default.
           Then you should report this as a bug.
           You can generate a local policy module to allow this access.
           Do
           allow this access for now by executing:
           # grep rhsmd /var/log/audit/audit.log | audit2allow -M mypol
           # semodule -i mypol.pp

setroubleshoot[14817]: SELinux is preventing /usr/bin/python2.7 from read access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs. For complete SELinux messages. run sealert -l 4f17ac6c-8357-412c-84ec-e40243512ebe
python[14817]: SELinux is preventing /usr/bin/python2.7 from read access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs.

           *****  Plugin catchall (100. confidence) suggests   **************************

           If you believe that python2.7 should be allowed read access on the file_contexts.subs file by default.
           Then you should report this as a bug.
           You can generate a local policy module to allow this access.
           Do
           allow this access for now by executing:
           # grep rhsmd /var/log/audit/audit.log | audit2allow -M mypol
           # semodule -i mypol.pp

setroubleshoot[14817]: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs. For complete SELinux messages. run sealert -l f1dc7129-6d63-479f-8058-39ab5a3ad0ca
python[14817]: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs.

           *****  Plugin catchall (100. confidence) suggests   **************************

           If you believe that python2.7 should be allowed getattr access on the file_contexts.subs file by default.
           Then you should report this as a bug.
           You can generate a local policy module to allow this access.
           Do
           allow this access for now by executing:
           # grep rhsmd /var/log/audit/audit.log | audit2allow -M mypol
           # semodule -i mypol.pp

setroubleshoot[14817]: SELinux is preventing /usr/bin/python2.7 from using the setfscreate access on a process. For complete SELinux messages. run sealert -l be7995ab-75cf-4cc7-9708-7928b851043c
python[14817]: SELinux is preventing /usr/bin/python2.7 from using the setfscreate access on a process.

           *****  Plugin catchall (100. confidence) suggests   **************************

           If you believe that python2.7 should be allowed setfscreate access on processes labeled rhsmcertd_t by default.
           Then you should report this as a bug.
           You can generate a local policy module to allow this access.
           Do
           allow this access for now by executing:
           # grep rhsmd /var/log/audit/audit.log | audit2allow -M mypol
           # semodule -i mypol.pp

setroubleshoot[14817]: SELinux is preventing /usr/bin/python2.7 from 'read, write' accesses on the directory /run/lock/lvm. For complete SELinux messages. run sealert -l 6ac47b06-75ae-438b-bbbb-70081f5bf98d
python[14817]: SELinux is preventing /usr/bin/python2.7 from 'read, write' accesses on the directory /run/lock/lvm.

           *****  Plugin catchall (100. confidence) suggests   **************************

           If you believe that python2.7 should be allowed read write access on the lvm directory by default.
           Then you should report this as a bug.
           You can generate a local policy module to allow this access.
           Do
           allow this access for now by executing:
           # grep rhsmd /var/log/audit/audit.log | audit2allow -M mypol
           # semodule -i mypol.pp

```

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.