Bug 443950
Summary: | avc: denied { getattr } for comm="mdadm" path="/dev/.udev" | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Milan Zázrivec <mzazrivec> | ||||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 5.2 | CC: | dledford, dwalsh, ebenes | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | RHBA-2008-0465 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2008-05-21 16:43:38 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Milan Zázrivec
2008-04-24 09:59:06 UTC
Doug, does this avc denial have some serious impact on mdadm functionality (and therefore should be fixed in RHEL5.2) or can it be deferred for RHEL5.3? Thank you. Created attachment 303643 [details]
this is the full avc log when setenforce 0
Well, if you are going to ask me a question in a bug, it's usually best to make sure I'm either assigned to the bug or at least cc'ed on the bug ;-) Setting the bug to needinfo from a person doesn't mean they get an email about it (at least I didn't get one). Now, that said, I don't have an answer for you. If the install succeeds, then I'm guessing it's not that important, but until I review the code to find out why it's trying to open that file I won't know what it's looking for but not getting. I can't find any point in the mdadm code where it attempts to open or otherwise have anything to do with /dev/.udev. The denial occurs only when mdadm is started with initscript: # /etc/init.d/mdmonitor start When you run: # mdadm --monitor --scan -f --pid-file=/var/run/mdadm/mdadm.pid as root, there's no avc denial whatsoever. Do the denials happen if you log in as root and run /etc/init.d/mdmonitor stop; /etc/init.d/mdmonitor start? In other words, does this only happen when mdmonitor is started by the system init scripts at bootup or does it happen any time mdmonitor is run including from the command line? The denial occurs everytime mdmonitor is started. That means when you log in as root and run /etc/init.d/mdmonitor stop; /etc/init.d/mdmonitor start; or when the service is started during system bootup. Same thing. mdmonitor is running getattr on every file/directory in /dev. This is the equivalent of doing an ls /dev SELinux does not allow mdmonitor to look at the /dev/.udev directory so it generates and AVC. This can be ignored. I will put in a dontaudit rule and if we need to update policy we can get the Fix for u2. Actually looking at this further, the current policy is supposed to allow mdadm_t to read these files, so it should allow reading the directory. Fixed in selinux-policy-2.4.6-136.el5 Created attachment 304105 [details]
avc log with permissive (selinux-policy-targeted-2.4.6-136.el5)
Fixed in selinux-policy-2.4.6-137.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html |