| Summary: | SELinux is preventing /bin/mkdir from 'associate' accesses on the filesystem mdadm.pid. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Laska <jlaska> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 15 | CC: | dwalsh, jfrieben, jturner, mgrepl, rs |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:e93090d4252d1de1e0d2df91346d1cd5af5276e5f0a1dcec347a135f58f88bec | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-07 14:01:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I'm getting the same thing on RHEL 5.6, but for rsync to a newly created LVM. Note that disk was formatted, partitions and LVM created on RHEL 6 (it's a 4k sector drive and fdisk on 5.6 doesn't align partitions properly), and then moved to RHEL 5.6 for use. Most of the rsync worked, but then it was unable to create some directories and could not complete... #============= unlabeled_t ============== allow unlabeled_t fs_t:filesystem associate; This means you are trying to put a label on to a file system that the kernel does not understand. RHEL5 policy does not understand RHEL6 labels. You would need to label the partition with RHEL5 labels, which probably would work on a rhel6 box. |
SELinux is preventing /bin/mkdir from 'associate' accesses on the filesystem mdadm.pid. ***** Plugin filesystem_associate (99.5 confidence) suggests *************** If you believe mkdir should be allowed to create mdadm.pid files Then you need to use a different command. You are not allowed to preserve the SELinux context on the target file system. Do use a command like "cp -p" to preserve all permissions except SELinux context. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that mkdir should be allowed associate access on the mdadm.pid filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mkdir /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:object_r:unlabeled_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects mdadm.pid [ filesystem ] Source mkdir Source Path /bin/mkdir Port <Unknown> Host (removed) Source RPM Packages mdadm-3.1.5-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-6.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38.2-8.fc15.x86_64 #1 SMP Mon Mar 28 02:14:51 UTC 2011 x86_64 x86_64 Alert Count 3 First Seen Tue 29 Mar 2011 07:40:31 AM EDT Last Seen Wed 30 Mar 2011 08:07:45 AM EDT Local ID 041aee63-5b88-4d2a-a8d7-bd7552f539b8 Raw Audit Messages type=AVC msg=audit(1301486865.171:20): avc: denied { associate } for pid=1308 comm="mdadm" name="mdadm.pid" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1301486865.171:20): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7fff8089df68 a1=241 a2=1b6 a3=7f3d2668f9f0 items=0 ppid=1267 pid=1308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mdadm exe=/sbin/mdadm subj=system_u:system_r:mdadm_t:s0 key=(null) Hash: mkdir,unlabeled_t,tmpfs_t,filesystem,associate audit2allow #============= unlabeled_t ============== allow unlabeled_t tmpfs_t:filesystem associate; audit2allow -R #============= unlabeled_t ============== allow unlabeled_t tmpfs_t:filesystem associate;