1004786 – selinux once again blocks mdmon from being launched

Bug 1004786 - selinux once again blocks mdmon from being launched

Summary: selinux once again blocks mdmon from being launched

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-05 13:34 UTC by Jes Sorensen
Modified:	2014-11-19 14:36 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-11-19 14:36:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jes Sorensen 2013-09-05 13:34:00 UTC

Description of problem:
Yet another case of selinux blocking the launch of mdmon, rendering BIOS
RAID arrays unusable :(

Sep 05 15:14:57 noisybay.lan kernel: type=1400 audit(1378386897.626:4): avc:  de
nied  { getattr } for  pid=487 comm="mdmon" name="/" dev="dm-1" ino=2 scontext=s
ystem_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclas
s=filesystem

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-70.fc20.noarch

How reproducible:


Steps to Reproduce:
1. Install rawhide
2. Update to rawhide as of 130905
3. Install soon to be released mdadm-3.3 rpm
4. Reboot

Actual results:
No mdmon being launched, write to BIOS RAID 1/5/10 arrays hangs

Expected results:


Additional info:

Comment 1 Daniel Walsh 2013-09-05 13:42:13 UTC

Any other AVC's in permissive mode?

Comment 2 Jes Sorensen 2013-09-05 13:53:35 UTC

I only see the single one related to mdadm/mdmon - there are a pile related
to sshd though.

Like these:

Sep 05 15:50:39 noisybay.lan setroubleshoot[1176]: AuditRecordReceiver.add_recor
d_to_cache(): node=noisybay.lan type=AVC msg=audit(1378389038.788:49): avc:  den
ied  { dyntransition } for  pid=1153 comm="sshd" scontext=system_u:system_r:init
rc_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

Sep 05 15:50:39 noisybay.lan setroubleshoot[1176]: analyze_avc() avc=scontext=sy
stem_u:system_r:initrc_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 a
ccess=['dyntransition'] tclass=process tpath=

Sep 05 15:50:39 noisybay.lan python[1176]: SELinux is preventing /usr/sbin/sshd from using the dyntransition access on a process.


Jes

Comment 3 Daniel Walsh 2013-09-05 14:53:37 UTC

Looks like you have sshd running with the wrong context,  This seems to be a mislabaled system.

Comment 4 Jes Sorensen 2013-09-05 15:04:57 UTC

I honestly wouldn't know how it ended up mislabelled.

I simply installed Fedora 19 and then yum updated it to rawhide in order to
be able to test on rawhide. I haven't done anything special to it - the whole
avc problem space isn't my area of expertise, I really just rely on this stuff
to work :(

Jes

Comment 5 Daniel Walsh 2013-09-05 15:13:53 UTC

That I don't know, what is the label on sshd?

ls -lZ /usr/sbin/sshd

8b46396ec11542987ceeffdfadbb9976bc09ed18 allows this getattr on filesystem

Comment 6 Miroslav Grepl 2013-09-05 20:37:51 UTC

It looks this is a F19->rawhide upgrade issue. I believe you have mislabeled /usr/sbin.

Comment 7 Jes Sorensen 2013-09-06 12:02:12 UTC

That could very well be - I honestly have no idea on this front. fedup didn't
work because rawhide isn't assembled as a distro yet, so I had to yum upgrade.

fwiw

[root@noisybay ~]# ls -lZ /usr/sbin/sshd
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   /usr/sbin/sshd

Comment 8 Daniel Walsh 2013-09-07 11:36:25 UTC

Yum upgrade seems to be turning off the rpm labeling for some reason.

Note You need to log in before you can comment on or make changes to this bug.