Bug 224011

Summary: SELinux AVC denied { read } for pid=2390 comm="mdadm" - accessing storage on a node
Product: Red Hat Enterprise Linux 5 Reporter: Len DiMaggio <ldimaggi>
Component: congaAssignee: Jim Parsons <jparsons>
Status: CLOSED ERRATA QA Contact: Corey Marthaler <cmarthal>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: cluster-maint, djansa, dwalsh, jlaska, kanderso, kupcevic, rmccabe
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2007-0640 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-07 15:36:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Len DiMaggio 2007-01-23 16:29:22 UTC 
Description of problem:
SELinux AVC denied  { read } for  pid=2390 comm="mdadm" - accessing storage on a
node

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-28.el5
selinux-policy-targeted-2.4.6-28.el5
luci-0.8-29.el5
ricci-0.8-29.el5

How reproducible:
100%

Steps to Reproduce:
1. Access a node's storage
2. Note - no error is displayed by luci
  
Actual results:
Audit log fragment is listed below.

Expected results:
No read denied messages in audit log.

Additional info:

type=AVC msg=audit(1169568462.642:31): avc:  denied  { read } for  pid=2390
comm="mdadm" name="sg1" dev=tmpfs ino=3959 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1169568462.642:31): arch=40000003 syscall=5 success=no
exit=-13 a0=94a3e08 a1=0 a2=0 a3=1 items=0 ppid=2381 pid=2390 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mdadm"
exe="/sbin/mdadm" subj=system_u:system_r:mdadm_t:s0 key=(null)
type=AVC msg=audit(1169568462.960:32): avc:  denied  { read } for  pid=2390
comm="mdadm" name="rtc" dev=tmpfs ino=629 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1169568462.960:32): arch=40000003 syscall=5 success=no
exit=-13 a0=94a3d58 a1=0 a2=0 a3=1 items=0 ppid=2381 pid=2390 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mdadm"
exe="/sbin/mdadm" subj=system_u:system_r:mdadm_t:s0 key=(null)
type=AVC msg=audit(1169568464.184:33): avc:  denied  { read } for  pid=2414
comm="modinfo" name="gfs.ko" dev=dm-0 ino=2058548
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=SYSCALL msg=audit(1169568464.184:33): arch=40000003 syscall=5 success=no
exit=-13 a0=9cbd090 a1=0 a2=1b6 a3=9cc3630 items=0 ppid=2381 pid=2414
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="modinfo" exe="/sbin/modinfo"
subj=system_u:system_r:ricci_modstorage_t:s0 key=(null)
type=AVC msg=audit(1169568464.223:34): avc:  denied  { read } for  pid=2415
comm="modinfo" name="gfs2.ko" dev=dm-0 ino=2058052
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=SYSCALL msg=audit(1169568464.223:34): arch=40000003 syscall=5 success=no
exit=-13 a0=8b24008 a1=0 a2=1b6 a3=8b2a6a8 items=0 ppid=2381 pid=2415
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="modinfo" exe="/sbin/modinfo"
subj=system_u:system_r:ricci_modstorage_t:s0 key=(null)
Comment 1 Len DiMaggio 2007-01-23 17:35:26 UTC 
Note that there are also messages for modinfo in the above log fragment - for
example:

type=AVC msg=audit(1169568464.184:33): avc:  denied  { read } for  pid=2414
comm="modinfo" name="gfs.ko" dev=dm-0 ino=2058548
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
Comment 2 Daniel Walsh 2007-01-23 20:47:03 UTC 
Fixd in selinux-policy-2.4.6-29
Comment 3 Kiersten (Kerri) Anderson 2007-04-23 17:10:22 UTC 
Fixing Product Name.  Cluster Suite was merged into Enterprise Linux for version
5.0.
Comment 7 errata-xmlrpc 2007-11-07 15:36:45 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0640.html