Bug 224011 - SELinux AVC denied { read } for pid=2390 comm="mdadm" - accessing storage on a node
Summary: SELinux AVC denied { read } for pid=2390 comm="mdadm" - accessing storage o...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: conga   
(Show other bugs)
Version: 5.0
Hardware: All Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Jim Parsons
QA Contact: Corey Marthaler
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-23 16:29 UTC by Len DiMaggio
Modified: 2009-04-16 22:34 UTC (History)
7 users (show)

Fixed In Version: RHSA-2007-0640
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 15:36:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0640 normal SHIPPED_LIVE Moderate: conga security, bug fix, and enhancement update 2007-11-08 14:19:24 UTC

Description Len DiMaggio 2007-01-23 16:29:22 UTC 
Description of problem:
SELinux AVC denied  { read } for  pid=2390 comm="mdadm" - accessing storage on a
node

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-28.el5
selinux-policy-targeted-2.4.6-28.el5
luci-0.8-29.el5
ricci-0.8-29.el5

How reproducible:
100%

Steps to Reproduce:
1. Access a node's storage
2. Note - no error is displayed by luci
  
Actual results:
Audit log fragment is listed below.

Expected results:
No read denied messages in audit log.

Additional info:

type=AVC msg=audit(1169568462.642:31): avc:  denied  { read } for  pid=2390
comm="mdadm" name="sg1" dev=tmpfs ino=3959 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1169568462.642:31): arch=40000003 syscall=5 success=no
exit=-13 a0=94a3e08 a1=0 a2=0 a3=1 items=0 ppid=2381 pid=2390 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mdadm"
exe="/sbin/mdadm" subj=system_u:system_r:mdadm_t:s0 key=(null)
type=AVC msg=audit(1169568462.960:32): avc:  denied  { read } for  pid=2390
comm="mdadm" name="rtc" dev=tmpfs ino=629 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1169568462.960:32): arch=40000003 syscall=5 success=no
exit=-13 a0=94a3d58 a1=0 a2=0 a3=1 items=0 ppid=2381 pid=2390 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mdadm"
exe="/sbin/mdadm" subj=system_u:system_r:mdadm_t:s0 key=(null)
type=AVC msg=audit(1169568464.184:33): avc:  denied  { read } for  pid=2414
comm="modinfo" name="gfs.ko" dev=dm-0 ino=2058548
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=SYSCALL msg=audit(1169568464.184:33): arch=40000003 syscall=5 success=no
exit=-13 a0=9cbd090 a1=0 a2=1b6 a3=9cc3630 items=0 ppid=2381 pid=2414
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="modinfo" exe="/sbin/modinfo"
subj=system_u:system_r:ricci_modstorage_t:s0 key=(null)
type=AVC msg=audit(1169568464.223:34): avc:  denied  { read } for  pid=2415
comm="modinfo" name="gfs2.ko" dev=dm-0 ino=2058052
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=SYSCALL msg=audit(1169568464.223:34): arch=40000003 syscall=5 success=no
exit=-13 a0=8b24008 a1=0 a2=1b6 a3=8b2a6a8 items=0 ppid=2381 pid=2415
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="modinfo" exe="/sbin/modinfo"
subj=system_u:system_r:ricci_modstorage_t:s0 key=(null)
Comment 1 Len DiMaggio 2007-01-23 17:35:26 UTC 
Note that there are also messages for modinfo in the above log fragment - for
example:

type=AVC msg=audit(1169568464.184:33): avc:  denied  { read } for  pid=2414
comm="modinfo" name="gfs.ko" dev=dm-0 ino=2058548
scontext=system_u:system_r:ricci_modstorage_t:s0
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
Comment 2 Daniel Walsh 2007-01-23 20:47:03 UTC 
Fixd in selinux-policy-2.4.6-29
Comment 3 Kiersten (Kerri) Anderson 2007-04-23 17:10:22 UTC 
Fixing Product Name.  Cluster Suite was merged into Enterprise Linux for version
5.0.
Comment 7 errata-xmlrpc 2007-11-07 15:36:45 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0640.html
Note You need to log in before you can comment on or make changes to this bug.