Bug 443950

Summary: avc: denied { getattr } for comm="mdadm" path="/dev/.udev"
Product: Red Hat Enterprise Linux 5 Reporter: Milan Zázrivec <mzazrivec>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.2CC: dledford, dwalsh, ebenes
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0465 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 16:43:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
this is the full avc log when setenforce 0
none
avc log with permissive (selinux-policy-targeted-2.4.6-136.el5) none

Description Milan Zázrivec 2008-04-24 09:59:06 UTC 
Description of problem:
/etc/init.d/mdmonitor start causes avc denial on a system with RAID1

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-135.el5 / RHEL5.2-Server-20080424.nightly

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL5.2 snapshot with / on RAID1
2. # dmesg |grep avc:\ *denied
3. # grep avc:\ *denied /var/log/audit/audit.log
  
Actual results:
type=AVC msg=audit(1209029426.754:10): avc:  denied  { getattr } for  pid=1678
comm="mdadm" path="/dev/.udev" dev=tmpfs ino=2021
scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_tbl_t:s0
tclass=dir

Additional info:
This is what the raid1 kickstart setup looks like:
clearpart --all
part /boot --size 200
part swap --recommended
part None --fstype "PPC PReP Boot" --size 8
part raid.01 --size 2048 --grow
part raid.02 --size 2048 --grow
raid / --level 1 --device md0 raid.01 raid.02
Comment 1 Milan Zázrivec 2008-04-24 14:07:18 UTC 
Doug, does this avc denial have some serious impact on mdadm functionality
(and therefore should be fixed in RHEL5.2) or can it be deferred for RHEL5.3?

Thank you.
Comment 2 Milan Zázrivec 2008-04-24 15:18:31 UTC 
Created attachment 303643 [details]
this is the full avc log when setenforce 0
Comment 3 Doug Ledford 2008-04-24 15:39:18 UTC 
Well, if you are going to ask me a question in a bug, it's usually best to make
sure I'm either assigned to the bug or at least cc'ed on the bug ;-)  Setting
the bug to needinfo from a person doesn't mean they get an email about it (at
least I didn't get one).

Now, that said, I don't have an answer for you.  If the install succeeds, then
I'm guessing it's not that important, but until I review the code to find out
why it's trying to open that file I won't know what it's looking for but not
getting.
Comment 4 Doug Ledford 2008-04-24 17:11:06 UTC 
I can't find any point in the mdadm code where it attempts to open or otherwise
have anything to do with /dev/.udev.
Comment 5 Milan Zázrivec 2008-04-24 19:02:49 UTC 
The denial occurs only when mdadm is started with initscript:
# /etc/init.d/mdmonitor start

When you run:
# mdadm --monitor --scan -f --pid-file=/var/run/mdadm/mdadm.pid
as root, there's no avc denial whatsoever.
Comment 6 Doug Ledford 2008-04-24 19:30:25 UTC 
Do the denials happen if you log in as root and run /etc/init.d/mdmonitor stop;
/etc/init.d/mdmonitor start?  In other words, does this only happen when
mdmonitor is started by the system init scripts at bootup or does it happen any
time mdmonitor is run including from the command line?
Comment 7 Milan Zázrivec 2008-04-24 19:39:07 UTC 
The denial occurs everytime mdmonitor is started. That means when you
log in as root and run /etc/init.d/mdmonitor stop; /etc/init.d/mdmonitor start;
or when the service is started during system bootup. Same thing.
Comment 8 Daniel Walsh 2008-04-28 14:48:30 UTC 
mdmonitor is running getattr on every file/directory in /dev.

This is the equivalent of doing an ls /dev

SELinux does not allow mdmonitor to look at the /dev/.udev directory so it
generates and AVC.  This can be ignored.  I will put in a dontaudit rule and if
we need to update policy we can get the Fix for u2.
Comment 9 Daniel Walsh 2008-04-28 14:57:33 UTC 
Actually looking at this further, the current policy is supposed to allow
mdadm_t to read these files, so it should allow reading the directory.

Fixed in selinux-policy-2.4.6-136.el5
Comment 11 Milan Zázrivec 2008-04-29 10:57:51 UTC 
Created attachment 304105 [details]
avc log with permissive (selinux-policy-targeted-2.4.6-136.el5)
Comment 12 Daniel Walsh 2008-04-29 12:40:59 UTC 
Fixed in selinux-policy-2.4.6-137.el5
Comment 20 errata-xmlrpc 2008-05-21 16:43:38 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html