Hide Forgot
Description of problem: SELinux is preventing /usr/sbin/mdadm from 'ioctl' accesses on the blk_file /dev/dm-3. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mdadm should be allowed ioctl access on the dm-3 blk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mdadm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mdadm_t:s0-s0:c0.c1023 Target Context system_u:object_r:svirt_image_t:s0:c662,c888 Target Objects /dev/dm-3 [ blk_file ] Source mdadm Source Path /usr/sbin/mdadm Port <Unknown> Host (removed) Source RPM Packages mdadm-3.2.6-21.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-80.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.10.0-26.el7.x86_64 #1 SMP Thu Sep 19 17:15:18 EDT 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-09-24 03:11:07 CEST Last Seen 2013-09-24 03:11:07 CEST Local ID c56a4839-1e06-4647-8e5d-a11074dca54f Raw Audit Messages type=AVC msg=audit(1379985067.797:3239): avc: denied { ioctl } for pid=8764 comm="mdadm" path="/dev/dm-3" dev="devtmpfs" ino=17943 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_image_t:s0:c662,c888 tclass=blk_file type=SYSCALL msg=audit(1379985067.797:3239): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=3 a1=800c0910 a2=7fff8d27d750 a3=0 items=0 ppid=8763 pid=8764 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=224 comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null) Hash: mdadm,mdadm_t,svirt_image_t,blk_file,ioctl Additional info: reporter: libreport-2.1.7 hashmarkername: setroubleshoot kernel: 3.10.0-26.el7.x86_64 type: libreport
/dev/dm-3 has an incorrect label. It should be labeled fixed_disk_device_t.
(In reply to Milos Malik from comment #2) > /dev/dm-3 has an incorrect label. It should be labeled fixed_disk_device_t. and whoe fault it is? I am quite certain I have never changed knowingly its label and even restorecon agrees: matej@wycliff: ~$ sudo -i [sudo] password for matej: wycliff:~# restorecon -v -R /dev/ restorecon: Warning no default label for /dev/mqueue restorecon: Warning no default label for /dev/hugepages/libvirt restorecon: Warning no default label for /dev/hugepages/libvirt/qemu restorecon: Warning no default label for /dev/pts/6 restorecon: Warning no default label for /dev/pts/5 restorecon: Warning no default label for /dev/pts/3 restorecon: Warning no default label for /dev/pts/1 restorecon: Warning no default label for /dev/pts/4 restorecon: Warning no default label for /dev/pts/0 restorecon: Warning no default label for /dev/pts/ptmx restorecon: Warning no default label for /dev/shm/spice.2165 wycliff:~#
svirt_image_t is a customizable type. restorecon does not change it unless you run it with -F parameter. I don't know why is /dev/dm-3 labeled svirt_image_t. Is the device used as a disk for some virtual machine?
#============= mdadm_t ============== #!!!! This avc is allowed in the current policy allow mdadm_t svirt_image_t:blk_file ioctl;
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.