Bug 1721644 - SELinux is preventing mdadm from 'read' accesses on the file /var/lib/pcp/pmdas/linux/help.pag.
Summary: SELinux is preventing mdadm from 'read' accesses on the file /var/lib/pcp/pmd...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pcp
Version: 29
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nathan Scott
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:30e07f1a1f1760b8a6db46d275a...
: 1725137 1733677 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-18 19:26 UTC by Sidney Sedlak
Modified: 2019-09-15 14:39 UTC (History)
21 users (show)

Fixed In Version: pcp-4.3.4 pcp-4.3.4-1.fc30 pcp-4.3.4-1.fc29
Clone Of:
Environment:
Last Closed: 2019-08-20 01:48:48 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Sidney Sedlak 2019-06-18 19:26:26 UTC 
Description of problem:
SELinux is preventing mdadm from 'read' accesses on the file /var/lib/pcp/pmdas/linux/help.pag.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mdadm should be allowed read access on the help.pag file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mdadm' --raw | audit2allow -M my-mdadm
# semodule -X 300 -i my-mdadm.pp

Additional Information:
Source Context                system_u:system_r:mdadm_t:s0
Target Context                system_u:object_r:pcp_var_lib_t:s0
Target Objects                /var/lib/pcp/pmdas/linux/help.pag [ file ]
Source                        mdadm
Source Path                   mdadm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           pcp-4.3.2-1.fc29.x86_64
Policy RPM                    selinux-policy-3.14.2-60.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.1.9-200.fc29.x86_64 #1 SMP Tue
                              Jun 11 17:42:24 UTC 2019 x86_64 x86_64
Alert Count                   52
First Seen                    2019-06-18 20:58:42 CEST
Last Seen                     2019-06-18 21:23:59 CEST
Local ID                      140168a4-3477-4d33-825a-2c827edfaab7

Raw Audit Messages
type=AVC msg=audit(1560885839.260:1420): avc:  denied  { read } for  pid=12616 comm="mdadm" path="/var/lib/pcp/pmdas/linux/help.pag" dev="dm-1" ino=68745179 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0


Hash: mdadm,mdadm_t,pcp_var_lib_t,file,read

Version-Release number of selected component:
selinux-policy-3.14.2-60.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.9-200.fc29.x86_64
type:           libreport
Comment 1 Matej Marušák 2019-07-04 09:45:05 UTC 
This also happens on Fedora 30.

```
avc:  denied  { read } for  pid=7311 comm="mdadm" path="/var/lib/pcp/pmdas/linux/help.dir" dev="dm-0" ino=21025540 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0
```

$ rpm -q selinux-policy
selinux-policy-3.14.3-39.fc30.noarch

$ rpm -q pcp
pcp-4.3.2-1.fc30.x86_64
Comment 2 cje 2019-07-24 10:37:15 UTC 
Description of problem:
as far as i can tell, my method is:

(0. install fedora 29)
1. mount a software raid disk
2. install cockpit, cockpit-pcp and pcp
3. start cockpit service
4. update software

I _think_ this has only started happening since my most recent software update.

Version-Release number of selected component:
selinux-policy-3.14.2-60.fc29.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.18-200.fc29.x86_64
type:           libreport
Comment 3 NanoSector 2019-07-25 13:26:03 UTC 
This also occurs in Fedora 30.
Comment 4 Nathan Scott 2019-07-29 01:37:48 UTC 
*** Bug 1725137 has been marked as a duplicate of this bug. ***
Comment 5 Nathan Scott 2019-07-29 01:38:07 UTC 
*** Bug 1733677 has been marked as a duplicate of this bug. ***
Comment 6 Nathan Scott 2019-07-29 01:40:04 UTC 
I'm testing a fix for this now ... should be in pcp-4.3.4 (scheduled for release Friday next week).

cheers.
Comment 7 Nathan Scott 2019-07-29 06:41:11 UTC 
commit bd08dfd4e1b0d7130db558333fed363cb5344676
Author: Nathan Scott <nathans>
Date:   Mon Jul 29 13:53:32 2019 +1000

    libpcp_pmda: close help files after mmap'ing contents
    
    There have been a number of reports of an selinux AVC where
    mdadm (which is run from pmdalinux) is blocked from 'read'
    access on /var/lib/pcp/pmdas/linux/help.pag (local context
    is also possibly in play).  The help text files are opened
    and mapped in pmdaOpenHelp(3) but there is no reason for us
    to keep them open after that, propogating the 2 descriptors
    across fork/exec for subsequent accidental access by other
    utilities like mdadm.
    
    This resolves Fedora BZ 1721644 (and several duplicate BZs).
Comment 8 Ladar Levison 2019-08-03 15:12:15 UTC 
Description of problem:
After bootup/login the alert was waiting to greet me.

Version-Release number of selected component:
selinux-policy-3.14.3-42.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.20-300.fc30.x86_64
type:           libreport
Comment 9 Fedora Update System 2019-08-16 01:52:55 UTC 
FEDORA-2019-97183bed56 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-97183bed56
Comment 10 Fedora Update System 2019-08-16 01:53:26 UTC 
FEDORA-2019-44b383ec91 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-44b383ec91
Comment 11 Fedora Update System 2019-08-17 01:27:32 UTC 
pcp-4.3.4-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-97183bed56
Comment 12 Fedora Update System 2019-08-17 02:23:40 UTC 
pcp-4.3.4-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-44b383ec91
Comment 13 Fedora Update System 2019-08-20 01:48:48 UTC 
pcp-4.3.4-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2019-08-25 03:03:12 UTC 
pcp-4.3.4-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Doncho Gunchev 2019-09-15 14:39:17 UTC 
Description of problem:
Just booted the system.

Version-Release number of selected component:
selinux-policy-3.14.3-43.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.13-200.fc30.x86_64
type:           libreport
Note You need to log in before you can comment on or make changes to this bug.