Bug 1970744

Summary: denied { getattr } for comm="mdadm" path="/dev/dma_heap"
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 34CC: bgoncalv, canyon, ccastello, dan, dwalsh, grepl.miroslav, jp+bugzilla, lvrabec, mmalik, omosnace, prd-fedora, r3pek, rhbugs, vmojzis, zpytela
Target Milestone: ---Keywords: Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-34.12-1.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-30 03:15:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2021-06-11 05:36:55 UTC 
Description of problem: Yesterdays's selinux-policy update [1] caused a new regression with mdadm:

audit: type=1400 audit(1623380809.049:365): avc:  denied  { getattr } for  pid=1758 comm="mdadm" path="/dev/dma_heap" dev="devtmpfs" ino=127 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:dma_device_dir_t:s0 tclass=dir permissive=0

This was spotted by our regular CI runs on updates-testing [2], but the update was pushed through -testing so fast (< 24 h) that there is no chance in the world to catch and report it.


That update fixed bug 1968654 , which sounds very related -- it fixed the "associate" action on the very same object.

Version-Release number of selected component (if applicable):


How reproducible: Always


Additional info:

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2021-d8e34dbd6e
[2] https://github.com/cockpit-project/bots/pull/2106
Comment 1 Zdenek Pytela 2021-06-15 20:53:18 UTC 
*** Bug 1972412 has been marked as a duplicate of this bug. ***
Comment 2 Zdenek Pytela 2021-06-15 20:53:34 UTC 
*** Bug 1972413 has been marked as a duplicate of this bug. ***
Comment 3 Zdenek Pytela 2021-06-18 18:04:40 UTC 
*** Bug 1971517 has been marked as a duplicate of this bug. ***
Comment 4 Zdenek Pytela 2021-06-18 20:02:25 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/787
Comment 5 Zdenek Pytela 2021-06-21 12:25:09 UTC 
*** Bug 1974201 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2021-06-24 15:28:27 UTC 
FEDORA-2021-3df7370a94 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94
Comment 7 Fedora Update System 2021-06-24 16:55:59 UTC 
FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3df7370a94`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-06-30 03:15:59 UTC 
FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.