Bug 901921
Summary: | SELinux is preventing /usr/bin/bash from 'read' accesses on the file /usr/sbin/mdadm. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dagan McGregor <bugzilla.redhat> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | aruodg, dominick.grift, dwalsh, frank, gigalamer, hafflys, igeorgex, jsynacek, long, mgrepl, petar.mijatovic, tpeplt, varekova |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:57b5e8a05d6280b87fd6ea32987bea5efdc67dff65484092512cdc95db7d2a83 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-12 05:08:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dagan McGregor
2013-01-19 23:39:07 UTC
Any idea why logwatch is touch mdadm? Recently a new mdadm script has been added to logwatch: http://old.nabble.com/Fwd:-support-for-mdadm-on-linux-td16407756.html An improving patch is now submitted for testing: http://sourceforge.net/mailarchive/forum.php?thread_name=50FD969C.8050208%40cora.nwra.com&forum_name=logwatch-devel http://koji.fedoraproject.org/koji/buildinfo?buildID=379889 This problem doesn't seem to happen on F18. Added a fix. Hi, I should note I am using packages from updates-testing, as this may make a small difference. I should also note, it is not just a "read" error that occurs, it also appears to have an "exec" error at the same time. I have just updated to logwatch-7.4.0-23.20130102svn127.fc17.noarch so I will see if that stops this from occurring again, or I will update the bug with more alerts. Update on the errors: SELinux is preventing /usr/bin/bash from read access on the file /usr/sbin/mdadm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed read access on the mdadm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:mdadm_exec_t:s0 Target Objects /usr/sbin/mdadm [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host tighnacheo.pro.local Source RPM Packages bash-4.2.39-2.fc17.x86_64 Target RPM Packages mdadm-3.2.6-8.fc17.x86_64 Policy RPM selinux-policy-3.10.0-166.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tighnacheo.pro.local Platform Linux tighnacheo.pro.local 3.7.3-101.fc17.x86_64 #1 SMP Fri Jan 18 17:40:57 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-01-26 03:46:05 NZDT Last Seen 2013-01-26 03:46:05 NZDT Local ID 6820e3dc-0616-47ed-bca2-42df008ecb62 Raw Audit Messages type=AVC msg=audit(1359125165.231:181): avc: denied { read } for pid=3673 comm="sh" name="mdadm" dev="dm-4" ino=152359 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1359125165.231:181): arch=x86_64 syscall=access success=no exit=EACCES a0=18072d0 a1=4 a2=7fff5eaf6fb0 a3=20 items=0 ppid=3672 pid=3673 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Hash: sh,logwatch_t,mdadm_exec_t,file,read audit2allow #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file read; audit2allow -R #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file read; SELinux is preventing /usr/bin/bash from execute access on the file /usr/sbin/mdadm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed execute access on the mdadm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:mdadm_exec_t:s0 Target Objects /usr/sbin/mdadm [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host tighnacheo.pro.local Source RPM Packages bash-4.2.39-2.fc17.x86_64 Target RPM Packages mdadm-3.2.6-8.fc17.x86_64 Policy RPM selinux-policy-3.10.0-166.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tighnacheo.pro.local Platform Linux tighnacheo.pro.local 3.7.3-101.fc17.x86_64 #1 SMP Fri Jan 18 17:40:57 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-01-26 03:46:05 NZDT Last Seen 2013-01-26 03:46:05 NZDT Local ID 32c14880-07b4-4006-832b-29b09841b901 Raw Audit Messages type=AVC msg=audit(1359125165.231:180): avc: denied { execute } for pid=3673 comm="sh" name="mdadm" dev="dm-4" ino=152359 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1359125165.231:180): arch=x86_64 syscall=access success=no exit=EACCES a0=18072d0 a1=1 a2=7fff5eaf6fb0 a3=20 items=0 ppid=3672 pid=3673 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Hash: sh,logwatch_t,mdadm_exec_t,file,execute audit2allow #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file execute; audit2allow -R #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file execute; These are the packages I have installed $ rpm -qa logwatch logwatch-7.4.0-23.20130102svn127.fc17.noarch $ rpm -qa selinux-* selinux-policy-devel-3.10.0-166.fc17.noarch selinux-policy-targeted-3.10.0-166.fc17.noarch selinux-policy-3.10.0-166.fc17.noarch This happens every day during script "cron_daily" execution. Package: (null) OS Release: Fedora release 17 (Beefy Miracle) Fix seems to be in F18 but not in F17 It also has been added to F17 in git. selinux-policy-3.10.0-167.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-167.fc17 Package selinux-policy-3.10.0-167.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-167.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1971/selinux-policy-3.10.0-167.fc17 then log in and leave karma (feedback). I am also seeing something similar for F18. The source process: /usr/bin/bash Attempted this access: execute_no_trans On this file: /usr/sbin/mdadm The solution offered is to report this as a bug and use audit2allow to allow it. Fedora 18 x86_64 kernel 3.7.5-201.fc18.x86_64 selinux-policy-targeted-3.11.1-73.fc18.noarch selinux-policy-3.11.1-73.fc18.noarch Yes, please also update the policy on F18 for updates-testing repo. *** Bug 908590 has been marked as a duplicate of this bug. *** Package selinux-policy-3.10.0-167.fc17 fixed the problem for me. Thank you for testing. Just started in last few days so some update must be causing this? Package: (null) OS Release: Fedora release 17 (Beefy Miracle) If I am not using mdadm functions (no RAID, etc), would commenting out the only active line in /usr/share/logwatch/default.conf/services/mdadm.conf make any difference? Would it damage anything to bypass that service? The line in question is: LogFile = messages If that stops the messages, would that help isolate where this fault is occurring? no remarks, I don't know how the failure was produced. I'm afraid of the the bash process because I don't know about this.... Package: (null) OS Release: Fedora release 17 (Beefy Miracle) I have installed the packages from updates-testing, and I am not seeing this alert any more $ rpm -qa | grep selinux selinux-policy-3.10.0-167.fc17.noarch selinux-policy-targeted-3.10.0-167.fc17.noarch $ rpm -qa | grep logwatch logwatch-7.4.0-23.20130102svn127.fc17.noarch I think this can be pushed to stable updates selinux-policy-3.10.0-167.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |