Bug 1049912
| Summary: | SELinux is preventing /usr/sbin/mdadm from 'read' accesses on the lnk_file HelpdeskRHEL4-RHEL4.x86_64. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Juran <djuran> |
| Component: | logwatch | Assignee: | Jan Synacek <jsynacek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | djuran, dominick.grift, dwalsh, frank, jsynacek, lvrabec, mgrepl, richardfearn, varekova |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:3a0f1a4290e821f30e5901af28df896b099e573ba68bf969d8afd34e970192d8 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-07 14:34:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Please, try https://admin.fedoraproject.org/updates/logwatch-7.4.1-1.20140924svn242.fc20 if it resolves the issue. Sorry for the delay, I can confirm that with logwatch-7.4.1-2.20140924svn242.fc20.noarch I get no more AVC:s |
Description of problem: I believe this is actually a problem with logwatch. On my laptop I have a number of LogicalVolumes that are used for backing virtual machines. Hence libvirt (or maybe virt-manager) has set their context to system_u:object_r:virt_image_t:s0 So far so good. But when logwatch runs, it has a script /usr/share/logwatch/scripts/services/mdadm that runs mdadm --examine --scan Which I belive triggers this AVC. So how to avoid this? My immediate thought is that logwatch has no business checking any volumes that are part of Virtual Machines. So would it somehow be possible to filter the list of scanned volumes to exclude ones that are marked as virt_image_t? SELinux is preventing /usr/sbin/mdadm from 'read' accesses on the lnk_file HelpdeskRHEL4-RHEL4.x86_64. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mdadm should be allowed read access on the HelpdeskRHEL4-RHEL4.x86_64 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mdadm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mdadm_t:s0-s0:c0.c1023 Target Context system_u:object_r:virt_image_t:s0 Target Objects HelpdeskRHEL4-RHEL4.x86_64 [ lnk_file ] Source mdadm Source Path /usr/sbin/mdadm Port <Unknown> Host (removed) Source RPM Packages mdadm-3.3-4.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.12.6-300.fc20.x86_64 #1 SMP Mon Dec 23 16:44:31 UTC 2013 x86_64 x86_64 Alert Count 113 First Seen 2013-07-30 12:33:28 CEST Last Seen 2014-01-08 07:44:15 CET Local ID 7dab806c-da84-4b82-b99d-b3004abe3e75 Raw Audit Messages type=AVC msg=audit(1389163455.329:1648): avc: denied { read } for pid=10402 comm="mdadm" name="HelpdeskRHEL4-RHEL4.x86_64" dev="devtmpfs" ino=16686 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_image_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1389163455.329:1648): arch=x86_64 syscall=stat success=no exit=EACCES a0=15c7710 a1=7fff06572290 a2=7fff06572290 a3=100 items=0 ppid=10401 pid=10402 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=109 tty=(none) comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null) Hash: mdadm,mdadm_t,virt_image_t,lnk_file,read Additional info: reporter: libreport-2.1.10 hashmarkername: setroubleshoot kernel: 3.12.6-300.fc20.x86_64 type: libreport