SELinux blocks LVM access to `rhsmd`
I'm not sure if this is the intended behavior. I had a trial to
RHEVMsubscription-manager clean subscription-manager register
and removing all other systems via redhat.com customer portal, the following SELinux notifications started showing:
setroubleshoot[14817]: SELinux is preventing /usr/bin/python2.7 from read access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs. For complete SELinux messages. run sealert -l 4f17ac6c-8357-412c-84ec-e40243512ebe python[14817]: SELinux is preventing /usr/bin/python2.7 from read access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed read access on the file_contexts.subs file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rhsmd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp setroubleshoot[14817]: SELinux is preventing /usr/bin/python2.7 from read access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs. For complete SELinux messages. run sealert -l 4f17ac6c-8357-412c-84ec-e40243512ebe python[14817]: SELinux is preventing /usr/bin/python2.7 from read access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed read access on the file_contexts.subs file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rhsmd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp setroubleshoot[14817]: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs. For complete SELinux messages. run sealert -l f1dc7129-6d63-479f-8058-39ab5a3ad0ca python[14817]: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /etc/selinux/targeted/contexts/files/file_contexts.subs. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed getattr access on the file_contexts.subs file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rhsmd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp setroubleshoot[14817]: SELinux is preventing /usr/bin/python2.7 from using the setfscreate access on a process. For complete SELinux messages. run sealert -l be7995ab-75cf-4cc7-9708-7928b851043c python[14817]: SELinux is preventing /usr/bin/python2.7 from using the setfscreate access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed setfscreate access on processes labeled rhsmcertd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rhsmd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp setroubleshoot[14817]: SELinux is preventing /usr/bin/python2.7 from 'read, write' accesses on the directory /run/lock/lvm. For complete SELinux messages. run sealert -l 6ac47b06-75ae-438b-bbbb-70081f5bf98d python[14817]: SELinux is preventing /usr/bin/python2.7 from 'read, write' accesses on the directory /run/lock/lvm. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed read write access on the lvm directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rhsmd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Responses