Description of problem: SELinux is preventing mdadm from 'read' accesses on the blk_file md0p1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mdadm should be allowed read access on the md0p1 blk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mdadm' --raw | audit2allow -M my-mdadm # semodule -X 300 -i my-mdadm.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:object_r:fixed_disk_device_t:s0 Target Objects md0p1 [ blk_file ] Source mdadm Source Path mdadm Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.28.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.15.10-300.fc27.x86_64 #1 SMP Thu Mar 15 17:13:04 UTC 2018 x86_64 x86_64 Alert Count 3092 First Seen 2018-03-25 21:15:03 EDT Last Seen 2018-03-26 23:00:02 EDT Local ID 1250ae42-b8b9-4a35-9c60-608b881a6c95 Raw Audit Messages type=AVC msg=audit(1522119602.163:7949): avc: denied { read } for pid=16158 comm="mdadm" name="md0p1" dev="devtmpfs" ino=25730 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 Hash: mdadm,pcp_pmcd_t,fixed_disk_device_t,blk_file,read Version-Release number of selected component: selinux-policy-3.13.1-283.28.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.10-300.fc27.x86_64 type: libreport
# cat my-mdadm3.te module my-mdadm3 1.0; require { type fixed_disk_device_t; type mdadm_exec_t; type pcp_pmcd_t; class file map; class blk_file read; } #============= pcp_pmcd_t ============== allow pcp_pmcd_t fixed_disk_device_t:blk_file read; #!!!! This avc is allowed in the current policy allow pcp_pmcd_t mdadm_exec_t:file map; # semodule -i my-mdadm3.pp neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:13265 (neverallow base_typeattr_15 fixed_disk_device_t (blk_file (read))) <root> allow at /var/lib/selinux/targeted/tmp/modules/400/my-mdadm3/cil:4 (allow pcp_pmcd_t fixed_disk_device_t (blk_file (read))) Failed to generate binary semodule: Failed!
selinux-policy-3.13.1-283.30.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b3791c3118
selinux-policy-3.13.1-283.30.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b3791c3118
selinux-policy-3.13.1-283.30.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.