Bug 244582
Summary: | selinux prevents sendmail access to /proc/mdstat | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jeroen Beerstra <jeroen> |
Component: | mdadm | Assignee: | Doug Ledford <dledford> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 7 | CC: | dwalsh, jmorris |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 2.6.2-4.fc7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-07-20 19:35:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jeroen Beerstra
2007-06-17 17:17:51 UTC
This is a leaked file descriptor. mdstat/mdadm is opeing a file rescriptor to /proc/mdstat without setting the CLOEXEC flag on the file descriptor. Later it executes sendmail which causes the kernel to check access to the open file descriptor, generating this avc. Problem should be resolved in mdadm-2.6.2-2 or later. *** Bug 216241 has been marked as a duplicate of this bug. *** mdadm-2.6.2-2.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. This gets me a little further, this is what I did: I have a SoftRaid1 volume md1 containing a huge backup partition: mdadm -D /dev/md1 /dev/md1: Version : 00.90.03 Creation Time : Sun Nov 20 08:35:18 2005 Raid Level : raid1 Array Size : 70035264 (66.79 GiB 71.72 GB) Used Dev Size : 70035264 (66.79 GiB 71.72 GB) Raid Devices : 2 Total Devices : 2 Preferred Minor : 1 Persistence : Superblock is persistent Update Time : Fri Jul 6 14:12:45 2007 State : clean, degraded, recovering Active Devices : 1 Working Devices : 2 Failed Devices : 0 Spare Devices : 1 Rebuild Status : 36% complete UUID : e50db7ed:cda3307c:b7e4159b:55a7c65d Events : 0.119304 Number Major Minor RaidDevice State 0 8 5 0 active sync /dev/sda5 2 8 21 1 spare rebuilding /dev/sdb5 This is after I did a: # mdadm /dev/md1 -f /dev/sdb5 And stopped and restarted md1 and readded /dev/sdb5 These are the results: Fail event on /dev/md1:neo.lokaal.net From: mdadm monitoring <root.net> To: root.net Date: today 13:53:38 This is an automatically generated mail message from mdadm running on neo.lokaal.net A Fail event had been detected on md device /dev/md1. Faithfully yours, etc. P.S. The /proc/mdstat file currently contains the following: Personalities : [raid0] [raid1] md1 : active raid1 sda5[0] sdb5[2](F) 70035264 blocks [2/1] [U_] md0 : active raid0 sda2[0] sdb1[1] 176843264 blocks 256k chunks unused devices: <none> $rpm -q mdadm mdadm-2.6.2-2.fc7 So I do get results from /proc/mdstat this time, however 2 SELinux denials are logged: Summary SELinux is preventing sh (mdadm_t) "getattr" to /root (user_home_dir_t). Detailed Description SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /root, restorecon -v /root If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:mdadm_t Target Context root:object_r:user_home_dir_t Target Objects /root [ dir ] Affected RPM Packages filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-23.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name neo.lokaal.net Platform Linux neo.lokaal.net 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 14:56:37 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen vr 06 jul 2007 13:53:37 CEST Last Seen vr 06 jul 2007 14:10:57 CEST Local ID 6bad4ccb-3cab-43a4-b9c5-295c30099f61 Line Numbers Raw Audit Messages avc: denied { getattr } for comm="sh" dev=dm-13 egid=0 euid=0 exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" path="/root" pid=14419 scontext=user_u:system_r:mdadm_t:s0 sgid=0 subj=user_u:system_r:mdadm_t:s0 suid=0 tclass=dir tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=0 Summary SELinux is preventing sh (mdadm_t) "search" to / (user_home_dir_t). Detailed Description SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:mdadm_t Target Context root:object_r:user_home_dir_t Target Objects / [ dir ] Affected RPM Packages filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-23.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name neo.lokaal.net Platform Linux neo.lokaal.net 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 14:56:37 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen vr 06 jul 2007 13:53:37 CEST Last Seen vr 06 jul 2007 14:10:57 CEST Local ID 3ac1bf0b-632d-42d0-a204-2fb0b43ae64d Line Numbers Raw Audit Messages avc: denied { search } for comm="sh" dev=dm-13 egid=0 euid=0 exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=14419 scontext=user_u:system_r:mdadm_t:s0 sgid=0 subj=user_u:system_r:mdadm_t:s0 suid=0 tclass=dir tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=0 I did a restorecon the way Setroubleshoot told me to, however nothing relevant was relabeled. BTW is there a quicker way to test this, ideally I just want to mark a partition as failed and then hotadd it right away, is this possible? This is taking forever to test... Forgot one SELinux alert: Summary SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/md1 (fixed_disk_device_t). Detailed Description SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not expected that this access is required by /usr/sbin/sendmail.sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/md1, restorecon -v /dev/md1 If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:system_mail_t Target Context system_u:object_r:fixed_disk_device_t Target Objects /dev/md1 [ blk_file ] Affected RPM Packages sendmail-8.14.1-2 [application] Policy RPM selinux-policy-2.6.4-23.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name neo.lokaal.net Platform Linux neo.lokaal.net 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 14:56:37 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen vr 06 jul 2007 14:10:57 CEST Last Seen vr 06 jul 2007 14:10:57 CEST Local ID 5f4be6bc-758f-445c-af69-53db28b4457a Line Numbers Raw Audit Messages avc: denied { read } for comm="sendmail" dev=tmpfs egid=51 euid=0 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0 name="md1" path="/dev/md1" pid=14419 scontext=user_u:system_r:system_mail_t:s0 sgid=51 subj=user_u:system_r:system_mail_t:s0 suid=0 tclass=blk_file tcontext=system_u:object_r:fixed_disk_device_t:s0 tty=(none) uid=0 The avc messages about access to the home_dir are caused because you started them mdadm in the users homedir. It is just checking access to the current working directory and generating denials. If you cd to / before executing this command you should not get this denial. The last avc is still being caused by a leaked file descriptor. I'm building mdadm-2.6.2-3 now, it should solve the last leaked file descriptor issue. mdadm-2.6.2-3.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. no more avc's mdadm-2.6.2-4.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. mdadm-2.6.2-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. |