Bug 1049912 - SELinux is preventing /usr/sbin/mdadm from 'read' accesses on the lnk_file HelpdeskRHEL4-RHEL4.x86_64.
Summary: SELinux is preventing /usr/sbin/mdadm from 'read' accesses on the lnk_file He...
Alias: None
Product: Fedora
Classification: Fedora
Component: logwatch
Version: 20
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Jan Synacek
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:3a0f1a4290e821f30e5901af28d...
Depends On:
TreeView+ depends on / blocked
Reported: 2014-01-08 13:15 UTC by David Juran
Modified: 2014-10-07 14:34 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-10-07 14:34:40 UTC
Type: ---

Attachments (Terms of Use)

Description David Juran 2014-01-08 13:15:45 UTC
Description of problem:
I believe this is actually a problem with logwatch. On my laptop I have a number of LogicalVolumes that are used for backing virtual machines. Hence libvirt (or maybe virt-manager) has set their context to system_u:object_r:virt_image_t:s0 So far so good.
But when logwatch runs, it has a script /usr/share/logwatch/scripts/services/mdadm that runs 
mdadm --examine --scan
Which I belive triggers this AVC.
So how to avoid this? My immediate thought is that logwatch has no business checking any volumes that are part of Virtual Machines. So would it somehow be possible to filter the list of scanned volumes to exclude ones that are marked as virt_image_t?
SELinux is preventing /usr/sbin/mdadm from 'read' accesses on the lnk_file HelpdeskRHEL4-RHEL4.x86_64.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mdadm should be allowed read access on the HelpdeskRHEL4-RHEL4.x86_64 lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep mdadm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mdadm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:virt_image_t:s0
Target Objects                HelpdeskRHEL4-RHEL4.x86_64 [ lnk_file ]
Source                        mdadm
Source Path                   /usr/sbin/mdadm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mdadm-3.3-4.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.12.6-300.fc20.x86_64 #1 SMP Mon
                              Dec 23 16:44:31 UTC 2013 x86_64 x86_64
Alert Count                   113
First Seen                    2013-07-30 12:33:28 CEST
Last Seen                     2014-01-08 07:44:15 CET
Local ID                      7dab806c-da84-4b82-b99d-b3004abe3e75

Raw Audit Messages
type=AVC msg=audit(1389163455.329:1648): avc:  denied  { read } for  pid=10402 comm="mdadm" name="HelpdeskRHEL4-RHEL4.x86_64" dev="devtmpfs" ino=16686 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_image_t:s0 tclass=lnk_file

type=SYSCALL msg=audit(1389163455.329:1648): arch=x86_64 syscall=stat success=no exit=EACCES a0=15c7710 a1=7fff06572290 a2=7fff06572290 a3=100 items=0 ppid=10401 pid=10402 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=109 tty=(none) comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null)

Hash: mdadm,mdadm_t,virt_image_t,lnk_file,read

Additional info:
reporter:       libreport-2.1.10
hashmarkername: setroubleshoot
kernel:         3.12.6-300.fc20.x86_64
type:           libreport

Comment 1 Jan Synacek 2014-09-24 07:00:27 UTC
Please, try https://admin.fedoraproject.org/updates/logwatch-7.4.1-1.20140924svn242.fc20 if it resolves the issue.

Comment 2 David Juran 2014-10-07 14:34:40 UTC
Sorry for the delay, I can confirm that with logwatch-7.4.1-2.20140924svn242.fc20.noarch I get no more AVC:s

Note You need to log in before you can comment on or make changes to this bug.