Bug 244582

Summary: selinux prevents sendmail access to /proc/mdstat
Product: [Fedora] Fedora Reporter: Jeroen Beerstra <jeroen>
Component: mdadmAssignee: Doug Ledford <dledford>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: 7CC: dwalsh, jmorris
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.6.2-4.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-20 19:35:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeroen Beerstra 2007-06-17 17:17:51 UTC
Description of problem: Selinux alert when a mdadm tries to send an e-mail alert


Version-Release number of selected component (if applicable): 
selinux-policy-targeted-2.6.4-14.fc7


How reproducible:


Steps to Reproduce:
1. sudo mdadm /dev/mdX --fail /some/device
2. an e-mail is send
3. a SELinux denial alert is logged
  
Actual results:

SELinux alert


Expected results:

No SELinux alert


Additional info:

Summary
    SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to
    /proc/mdstat (proc_mdstat_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
    expected that this access is required by /usr/sbin/sendmail.sendmail and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /proc/mdstat, restorecon -v
    /proc/mdstat If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:system_mail_t
Target Context                system_u:object_r:proc_mdstat_t
Target Objects                /proc/mdstat [ file ]
Affected RPM Packages         sendmail-8.14.1-2 [application]
Policy RPM                    selinux-policy-2.6.4-14.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     neo.lokaal.net
Platform                      Linux neo.lokaal.net 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 14:56:37 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    zo 17 jun 2007 11:48:10 CEST
Last Seen                     zo 17 jun 2007 11:48:10 CEST
Local ID                      54879a85-9e70-44d9-8eb7-96af18f42f58
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="sendmail" dev=proc egid=51 euid=0
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0
name="mdstat" path="/proc/mdstat" pid=17388
scontext=system_u:system_r:system_mail_t:s0 sgid=51
subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:proc_mdstat_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-06-18 14:59:12 UTC
This is a leaked file descriptor.  mdstat/mdadm is opeing a file rescriptor to
/proc/mdstat without setting the CLOEXEC flag on the file descriptor.  Later it
executes sendmail which causes the kernel to check access to the open file
descriptor, generating this avc.

Comment 2 Doug Ledford 2007-07-02 16:28:58 UTC
Problem should be resolved in mdadm-2.6.2-2 or later.

Comment 3 Doug Ledford 2007-07-03 17:05:46 UTC
*** Bug 216241 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2007-07-05 19:11:51 UTC
mdadm-2.6.2-2.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Jeroen Beerstra 2007-07-06 12:30:49 UTC
This gets me a little further, this is what I did:

I have a SoftRaid1 volume md1 containing a huge backup partition:

mdadm -D /dev/md1
/dev/md1:
        Version : 00.90.03
  Creation Time : Sun Nov 20 08:35:18 2005
     Raid Level : raid1
     Array Size : 70035264 (66.79 GiB 71.72 GB)
  Used Dev Size : 70035264 (66.79 GiB 71.72 GB)
   Raid Devices : 2
  Total Devices : 2
Preferred Minor : 1
    Persistence : Superblock is persistent

    Update Time : Fri Jul  6 14:12:45 2007
          State : clean, degraded, recovering
 Active Devices : 1
Working Devices : 2
 Failed Devices : 0
  Spare Devices : 1

 Rebuild Status : 36% complete

           UUID : e50db7ed:cda3307c:b7e4159b:55a7c65d
         Events : 0.119304

    Number   Major   Minor   RaidDevice State
       0       8        5        0      active sync   /dev/sda5
       2       8       21        1      spare rebuilding   /dev/sdb5

This is after I did a:

# mdadm /dev/md1 -f /dev/sdb5

And stopped and restarted md1 and readded /dev/sdb5

These are the results:

Fail event on /dev/md1:neo.lokaal.net
From: mdadm monitoring <root.net>
To: root.net
Date: today 13:53:38
   
This is an automatically generated mail message from mdadm
running on neo.lokaal.net

A Fail event had been detected on md device /dev/md1.

Faithfully yours, etc.

P.S. The /proc/mdstat file currently contains the following:

Personalities : [raid0] [raid1] 
md1 : active raid1 sda5[0] sdb5[2](F)
      70035264 blocks [2/1] [U_]
      
md0 : active raid0 sda2[0] sdb1[1]
      176843264 blocks 256k chunks
      
unused devices: <none>

$rpm -q mdadm
mdadm-2.6.2-2.fc7

So I do get results from /proc/mdstat this time, however 2 SELinux denials are
logged:

Summary
    SELinux is preventing sh (mdadm_t) "getattr" to /root (user_home_dir_t).

Detailed Description
    SELinux denied access requested by sh. It is not expected that this access
    is required by sh and this access may signal an intrusion attempt. It is
    also possible that the specific version or configuration of the application
    is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /root, restorecon -v /root If
    this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                user_u:system_r:mdadm_t
Target Context                root:object_r:user_home_dir_t
Target Objects                /root [ dir ]
Affected RPM Packages         filesystem-2.4.6-1.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-23.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     neo.lokaal.net
Platform                      Linux neo.lokaal.net 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 14:56:37 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    vr 06 jul 2007 13:53:37 CEST
Last Seen                     vr 06 jul 2007 14:10:57 CEST
Local ID                      6bad4ccb-3cab-43a4-b9c5-295c30099f61
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="sh" dev=dm-13 egid=0 euid=0 exe="/bin/bash"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" path="/root" pid=14419
scontext=user_u:system_r:mdadm_t:s0 sgid=0 subj=user_u:system_r:mdadm_t:s0
suid=0 tclass=dir tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=0

Summary
    SELinux is preventing sh (mdadm_t) "search" to / (user_home_dir_t).

Detailed Description
    SELinux denied access requested by sh. It is not expected that this access
    is required by sh and this access may signal an intrusion attempt. It is
    also possible that the specific version or configuration of the application
    is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /, restorecon -v / If this does
    not work, there is currently no automatic way to allow this access. Instead,
    you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:mdadm_t
Target Context                root:object_r:user_home_dir_t
Target Objects                / [ dir ]
Affected RPM Packages         filesystem-2.4.6-1.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-23.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     neo.lokaal.net
Platform                      Linux neo.lokaal.net 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 14:56:37 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    vr 06 jul 2007 13:53:37 CEST
Last Seen                     vr 06 jul 2007 14:10:57 CEST
Local ID                      3ac1bf0b-632d-42d0-a204-2fb0b43ae64d
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="sh" dev=dm-13 egid=0 euid=0 exe="/bin/bash"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=14419
scontext=user_u:system_r:mdadm_t:s0 sgid=0 subj=user_u:system_r:mdadm_t:s0
suid=0 tclass=dir tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=0

I did a restorecon the way Setroubleshoot told me to, however nothing relevant
was relabeled.

BTW is there a quicker way to test this, ideally I just want to mark a partition
as failed and then hotadd it right away, is this possible? This is taking
forever to test...


Comment 6 Jeroen Beerstra 2007-07-06 12:36:22 UTC
Forgot one SELinux alert:

Summary
    SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to
    /dev/md1 (fixed_disk_device_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
    expected that this access is required by /usr/sbin/sendmail.sendmail and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /dev/md1, restorecon -v /dev/md1
    If this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                user_u:system_r:system_mail_t
Target Context                system_u:object_r:fixed_disk_device_t
Target Objects                /dev/md1 [ blk_file ]
Affected RPM Packages         sendmail-8.14.1-2 [application]
Policy RPM                    selinux-policy-2.6.4-23.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     neo.lokaal.net
Platform                      Linux neo.lokaal.net 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 14:56:37 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    vr 06 jul 2007 14:10:57 CEST
Last Seen                     vr 06 jul 2007 14:10:57 CEST
Local ID                      5f4be6bc-758f-445c-af69-53db28b4457a
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="sendmail" dev=tmpfs egid=51 euid=0
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0
name="md1" path="/dev/md1" pid=14419 scontext=user_u:system_r:system_mail_t:s0
sgid=51 subj=user_u:system_r:system_mail_t:s0 suid=0 tclass=blk_file
tcontext=system_u:object_r:fixed_disk_device_t:s0 tty=(none) uid=0

Comment 7 Daniel Walsh 2007-07-06 16:02:30 UTC
The avc messages about access to the home_dir are caused because you started
them mdadm in the users homedir.  It is just checking access to the current
working directory and generating denials.  If you cd to / before executing this
command you should not get this denial.  The last avc is still being caused by a
leaked file descriptor.

Comment 8 Doug Ledford 2007-07-06 16:40:54 UTC
I'm building mdadm-2.6.2-3 now, it should solve the last leaked file descriptor
issue.

Comment 9 Fedora Update System 2007-07-09 15:47:35 UTC
mdadm-2.6.2-3.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Jeroen Beerstra 2007-07-09 19:14:26 UTC
no more avc's

Comment 11 Fedora Update System 2007-07-10 06:42:10 UTC
mdadm-2.6.2-4.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2007-07-20 19:35:10 UTC
mdadm-2.6.2-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.