| Summary: | SELinux is preventing /usr/sbin/mdadm from 'ioctl' accesses on the blk_file /dev/dm-3. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matěj Cepl <mcepl> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.0 | CC: | mmalik | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | abrt_hash:d1039c9bfeb6ffa22a9b5532cf6cff9c372a4d8a226f27282b26369e421fb748 | |||
| Fixed In Version: | selinux-policy-3.12.1-85.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1043963 (view as bug list) | Environment: | ||
| Last Closed: | 2014-06-13 11:13:38 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
/dev/dm-3 has an incorrect label. It should be labeled fixed_disk_device_t. (In reply to Milos Malik from comment #2) > /dev/dm-3 has an incorrect label. It should be labeled fixed_disk_device_t. and whoe fault it is? I am quite certain I have never changed knowingly its label and even restorecon agrees: matej@wycliff: ~$ sudo -i [sudo] password for matej: wycliff:~# restorecon -v -R /dev/ restorecon: Warning no default label for /dev/mqueue restorecon: Warning no default label for /dev/hugepages/libvirt restorecon: Warning no default label for /dev/hugepages/libvirt/qemu restorecon: Warning no default label for /dev/pts/6 restorecon: Warning no default label for /dev/pts/5 restorecon: Warning no default label for /dev/pts/3 restorecon: Warning no default label for /dev/pts/1 restorecon: Warning no default label for /dev/pts/4 restorecon: Warning no default label for /dev/pts/0 restorecon: Warning no default label for /dev/pts/ptmx restorecon: Warning no default label for /dev/shm/spice.2165 wycliff:~# svirt_image_t is a customizable type. restorecon does not change it unless you run it with -F parameter. I don't know why is /dev/dm-3 labeled svirt_image_t. Is the device used as a disk for some virtual machine? #============= mdadm_t ============== #!!!! This avc is allowed in the current policy allow mdadm_t svirt_image_t:blk_file ioctl; This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: SELinux is preventing /usr/sbin/mdadm from 'ioctl' accesses on the blk_file /dev/dm-3. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mdadm should be allowed ioctl access on the dm-3 blk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mdadm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mdadm_t:s0-s0:c0.c1023 Target Context system_u:object_r:svirt_image_t:s0:c662,c888 Target Objects /dev/dm-3 [ blk_file ] Source mdadm Source Path /usr/sbin/mdadm Port <Unknown> Host (removed) Source RPM Packages mdadm-3.2.6-21.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-80.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.10.0-26.el7.x86_64 #1 SMP Thu Sep 19 17:15:18 EDT 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-09-24 03:11:07 CEST Last Seen 2013-09-24 03:11:07 CEST Local ID c56a4839-1e06-4647-8e5d-a11074dca54f Raw Audit Messages type=AVC msg=audit(1379985067.797:3239): avc: denied { ioctl } for pid=8764 comm="mdadm" path="/dev/dm-3" dev="devtmpfs" ino=17943 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_image_t:s0:c662,c888 tclass=blk_file type=SYSCALL msg=audit(1379985067.797:3239): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=3 a1=800c0910 a2=7fff8d27d750 a3=0 items=0 ppid=8763 pid=8764 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=224 comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null) Hash: mdadm,mdadm_t,svirt_image_t,blk_file,ioctl Additional info: reporter: libreport-2.1.7 hashmarkername: setroubleshoot kernel: 3.10.0-26.el7.x86_64 type: libreport