Bug 335911 - SELinux denies from mdadm on bootup
SELinux denies from mdadm on bootup
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mdadm (Show other bugs)
5.1
All Linux
low Severity medium
: ---
: ---
Assigned To: Doug Ledford
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-17 05:56 EDT by Jarkko
Modified: 2008-05-21 11:34 EDT (History)
4 users (show)

See Also:
Fixed In Version: RHBA-2008-0410
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 11:34:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jarkko 2007-10-17 05:56:01 EDT
Description of problem: Exim is missing from selinux-policy-targeted. Because
the sendmail command is included in the policy, sendmail command calls are
denied when /usr/sbin/sendmail.exim is set as the target for the
/etc/alternatives/mta symlink.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-30.el5


How reproducible: At least mdadm can't use the sendmail command. (I'm not
familiar with SELinux, so my diagnose might be wrong. My diagnose is, that the
reason for the denies is that /usr/sbin/sendmail.exim is not included in the
policy.)


Steps to Reproduce (not really necessary, but this is what I did):
1. Create software RAID1 partitions and drop some member(s) from the mirror(s)
so that mdadm will try to send email about that
2. Do a truly minimal install by deselecting every package in anaconda (mdadm
requires smtpdaemon and yum installs exim to satisfy that)
3. After first reboot, look at /var/log/messages
4. See the denies

  
Actual results: /var/log/messages got these in my system:
Oct 17 08:35:13 www kernel: audit(1192599312.879:4): avc:  denied  { setgid }
for  pid=2297 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s
0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599312.880:5): avc:  denied  { setuid }
for  pid=2297 comm="sendmail" capability=7 scontext=system_u:system_r:mdadm_t:s
0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599312.881:6): avc:  denied  { setgid }
for  pid=2297 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s
0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599312.881:7): avc:  denied  { setgid }
for  pid=2297 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s
0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599313.034:8): avc:  denied  { setgid }
for  pid=2355 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s
0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599313.034:9): avc:  denied  { setuid }
for  pid=2355 comm="sendmail" capability=7 scontext=system_u:system_r:mdadm_t:s
0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599313.035:10): avc:  denied  { setgid }
for  pid=2355 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:
s0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599313.036:11): avc:  denied  { setgid }
for  pid=2355 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:
s0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599313.045:12): avc:  denied  { setgid }
for  pid=2356 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:
s0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599313.045:13): avc:  denied  { setuid }
for  pid=2356 comm="sendmail" capability=7 scontext=system_u:system_r:mdadm_t:
s0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599313.046:14): avc:  denied  { setgid }
for  pid=2356 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:
s0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 17 08:35:13 www kernel: audit(1192599313.047:15): avc:  denied  { setgid }
for  pid=2356 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:
s0 tcontext=system_u:system_r:mdadm_t:s0 tclass=capability


Expected results: Email from mdadm to root. And generally, system being able to
use the sendmail command without denies when Exim is set as the MTA.
Comment 1 Daniel Walsh 2007-10-17 15:03:21 EDT
selinux-policy-targeted-2.4.6-107.el5
Comment 2 Jarkko 2007-10-18 05:57:14 EDT
selinux-policy-targeted-2.4.6-106.el5

Oct 18 12:52:28 www kernel: audit(1192701146.861:4): avc:  denied  { read } for
 pid=2215 comm="sendmail" name="md1" dev=tmpfs ino=6963 scontext=system_u:sys
tem_r:system_mail_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0
tclass=blk_file
Oct 18 12:52:28 www kernel: audit(1192701146.862:5): avc:  denied  { read } for
 pid=2215 comm="sendmail" name="mdstat" dev=proc ino=4026532359 scontext=syst
em_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0
tclass=file
Oct 18 12:52:28 www kernel: audit(1192701147.984:6): avc:  denied  { write } for
 pid=2215 comm="sendmail" name="input" dev=dm-1 ino=3637262 scontext=system_
u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Oct 18 12:52:28 www kernel: audit(1192701147.994:7): avc:  denied  { append }
for  pid=2215 comm="sendmail" name="main.log" dev=dm-1 ino=1671187 scontext=sys
tem_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 18 12:52:28 www kernel: audit(1192701147.995:8): avc:  denied  { append }
for  pid=2215 comm="sendmail" name="main.log" dev=dm-1 ino=1671187 scontext=sys
tem_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 18 12:52:28 www kernel: audit(1192701148.011:9): avc:  denied  { read } for
 pid=2287 comm="sendmail" name="md2" dev=tmpfs ino=1247 scontext=system_u:sys
tem_r:system_mail_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0
tclass=blk_file
Oct 18 12:52:28 www kernel: audit(1192701148.012:10): avc:  denied  { read } for
 pid=2287 comm="sendmail" name="mdstat" dev=proc ino=4026532359 scontext=sys
tem_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0
tclass=file
Oct 18 12:52:28 www kernel: audit(1192701148.022:11): avc:  denied  { write }
for  pid=2287 comm="sendmail" name="input" dev=dm-1 ino=3637262 scontext=system
_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Oct 18 12:52:28 www kernel: audit(1192701148.023:12): avc:  denied  { append }
for  pid=2287 comm="sendmail" name="main.log" dev=dm-1 ino=1671187 scontext=sy
stem_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 18 12:52:28 www kernel: audit(1192701148.023:13): avc:  denied  { append }
for  pid=2287 comm="sendmail" name="main.log" dev=dm-1 ino=1671187 scontext=sy
stem_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 18 12:52:28 www kernel: audit(1192701148.027:14): avc:  denied  { read } for
 pid=2288 comm="sendmail" name="md4" dev=tmpfs ino=6925 scontext=system_u:sy
stem_r:system_mail_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0
tclass=blk_file
Oct 18 12:52:28 www kernel: audit(1192701148.027:15): avc:  denied  { read } for
 pid=2288 comm="sendmail" name="mdstat" dev=proc ino=4026532359 scontext=sys
tem_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0
tclass=file
Oct 18 12:52:28 www kernel: audit(1192701148.035:16): avc:  denied  { write }
for  pid=2288 comm="sendmail" name="input" dev=dm-1 ino=3637262 scontext=system
_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Oct 18 12:52:28 www kernel: audit(1192701148.036:17): avc:  denied  { append }
for  pid=2288 comm="sendmail" name="main.log" dev=dm-1 ino=1671187 scontext=sy
stem_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 18 12:52:28 www kernel: audit(1192701148.036:18): avc:  denied  { append }
for  pid=2288 comm="sendmail" name="main.log" dev=dm-1 ino=1671187 scontext=sy
stem_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Comment 3 Jarkko 2007-10-18 06:03:25 EDT
Oh, sorry!

I tested with the older version. Didn't notice that until now. :)
Comment 4 Jarkko 2007-10-19 07:18:04 EDT
As I said I'm not familiar with SELinux. My diagnose was dead wrong. You
shouldn't try to make a diagnose about something you don't know... :)

I realized mdadm can't send the mail with sendmail either.


Testing with the original version (selinux-policy-targeted-2.4.6-30.el5) and exim:

audit2why: Missing or disabled TE allow rule.
audit2allow: allow mdadm_t self:capability { setgid setuid };

That has nothing to do with Exim. :) At least not directly (I don't know what
would happen if this phase would be allowed. Would there be other denies...)


Testing with the original version (selinux-policy-targeted-2.4.6-30.el5) and
sendmail:

audit2allow:
allow system_mail_t fixed_disk_device_t:blk_file read;
allow system_mail_t proc_mdstat_t:file read;

I'm not sure why we get different denies (perhaps because things are happening
in different order with different MTAs), but I'm changing the summary to reflect
the actual problem: "SELinux prevents mdadm to send mail".


Here are the raw log messages when using selinux-policy-targeted-2.4.6-30.el5
and sendmail:

Oct 19 13:52:05 www kernel: audit(1192791124.570:4): avc:  denied  { read } for
 pid=2203 comm="sendmail" name="md1" dev=tmpfs ino=6659
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Oct 19 13:52:05 www kernel: audit(1192791124.571:5): avc:  denied  { read } for
 pid=2203 comm="sendmail" name="mdstat" dev=proc ino=4026532359
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file
Oct 19 13:52:05 www kernel: audit(1192791125.413:6): avc:  denied  { read } for
 pid=2274 comm="sendmail" name="md2" dev=tmpfs ino=1247
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Oct 19 13:52:05 www kernel: audit(1192791125.414:7): avc:  denied  { read } for
 pid=2274 comm="sendmail" name="mdstat" dev=proc ino=4026532359
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file
Oct 19 13:52:05 www kernel: audit(1192791125.648:8): avc:  denied  { read } for
 pid=2276 comm="sendmail" name="md4" dev=tmpfs ino=6979
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Oct 19 13:52:05 www kernel: audit(1192791125.649:9): avc:  denied  { read } for
 pid=2276 comm="sendmail" name="mdstat" dev=proc ino=4026532359
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file
Comment 5 Daniel Walsh 2007-10-19 10:36:48 EDT
Most of the avc's above are caused by a leaked file descriptor in the raid tools.  

There is no reason for sendmail to be reading fixedisk or proc_mdstat.  When an
application execs a program it is responsible for cleaning up its file descriptors

fcntl(fd, F_SETFD, FD_CLOEXEC)
Comment 6 Mike McLean 2007-10-19 12:01:23 EDT
I'm not sure why is was assigned to me dledford owns raidtools.
Comment 7 Mike McLean 2007-10-19 12:03:37 EDT
Apparently bugzilla thought I owned it. Odd.  Well fixed now I hope.
Comment 8 Daniel Walsh 2007-10-19 12:32:08 EDT
I guess this should be assigned to mdadm?
Comment 9 RHEL Product and Program Management 2007-10-19 12:35:06 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 Doug Ledford 2007-10-19 12:43:41 EDT
The leaked file descriptor issue has been fixed in the Fedora mdadm for a while
now (there were also about 5 other somewhat important fixes in the fedora mdadm
update).  There were also several important bug fixes from upstream via updating
to mdadm >= 2.6.2.  I would suggest we rev the RHEL5 mdadm from the 2.5 version
it is now to the current 2.6 version (which is in Fedora) on the next update
cycle as it resolves this issue, the initscript issue, and a slew of other
issues that Fedora had bugs for but which aren't filed against RHEL.
Comment 11 Jarkko 2007-10-19 15:49:44 EDT
selinux-policy-targeted-2.4.6-30.el5 + exim-4.63-3.el5 + mdadm-2.6.2-4.fc7
--------------------------------------------------------------------------

Oct 19 22:44:02 www kernel: audit(1192823040.599:4): avc:  denied  { getattr }
for  pid=2221 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:44:02 www kernel: audit(1192823040.600:5): avc:  denied  { search }
for  pid=2221 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:44:02 www kernel: audit(1192823041.682:6): avc:  denied  { setgid }
for  pid=2221 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.683:7): avc:  denied  { setuid }
for  pid=2221 comm="sendmail" capability=7 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.683:8): avc:  denied  { setgid }
for  pid=2221 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.684:9): avc:  denied  { setgid }
for  pid=2221 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.713:10): avc:  denied  { getattr }
for  pid=2280 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:44:02 www kernel: audit(1192823041.714:11): avc:  denied  { search }
for  pid=2280 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:44:02 www kernel: audit(1192823041.720:12): avc:  denied  { setgid }
for  pid=2280 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.721:13): avc:  denied  { setuid }
for  pid=2280 comm="sendmail" capability=7 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.721:14): avc:  denied  { setgid }
for  pid=2280 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.722:15): avc:  denied  { setgid }
for  pid=2280 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.838:16): avc:  denied  { getattr }
for  pid=2281 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:44:02 www kernel: audit(1192823041.839:17): avc:  denied  { search }
for  pid=2281 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:44:02 www kernel: audit(1192823041.847:18): avc:  denied  { setgid }
for  pid=2281 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.847:19): avc:  denied  { setuid }
for  pid=2281 comm="sendmail" capability=7 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.848:20): avc:  denied  { setgid }
for  pid=2281 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability
Oct 19 22:44:02 www kernel: audit(1192823041.849:21): avc:  denied  { setgid }
for  pid=2281 comm="sendmail" capability=6 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:system_r:mdadm_t:s0 tclass=capability

allow mdadm_t self:capability { setgid setuid };
allow mdadm_t user_home_dir_t:dir { getattr search };
Comment 12 Jarkko 2007-10-19 15:59:08 EDT
selinux-policy-targeted-2.4.6-30.el5 + sendmail-8.13.8-2.el5 + mdadm-2.6.2-4.fc7
--------------------------------------------------------------------------------

Oct 19 22:56:07 www kernel: audit(1192823765.734:4): avc:  denied  { getattr }
for  pid=2230 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:56:07 www kernel: audit(1192823765.735:5): avc:  denied  { search }
for  pid=2230 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:56:07 www kernel: audit(1192823766.658:6): avc:  denied  { getattr }
for  pid=2302 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:56:07 www kernel: audit(1192823766.658:7): avc:  denied  { search }
for  pid=2302 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:56:07 www kernel: audit(1192823766.713:8): avc:  denied  { getattr }
for  pid=2304 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 22:56:07 www kernel: audit(1192823766.714:9): avc:  denied  { search }
for  pid=2304 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir

allow mdadm_t user_home_dir_t:dir { getattr search };
Comment 13 Daniel Walsh 2007-10-19 16:12:16 EDT
Now update to selinux-policy-targeted-2.4.6-106.el5
Comment 14 Jarkko 2007-10-19 16:23:04 EDT
selinux-policy-targeted-2.4.6-106.el5 + sendmail-8.13.8-2.el5 + mdadm-2.6.2-4.fc7
---------------------------------------------------------------------------------

Oct 19 23:21:13 www kernel: audit(1192825271.601:4): avc:  denied  { getattr }
for  pid=2228 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:21:13 www kernel: audit(1192825271.602:5): avc:  denied  { search }
for  pid=2228 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:21:13 www kernel: audit(1192825272.672:6): avc:  denied  { getattr }
for  pid=2300 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:21:13 www kernel: audit(1192825272.672:7): avc:  denied  { search }
for  pid=2300 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:21:13 www kernel: audit(1192825272.731:8): avc:  denied  { getattr }
for  pid=2302 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:21:13 www kernel: audit(1192825272.732:9): avc:  denied  { search }
for  pid=2302 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir

allow mdadm_t user_home_dir_t:dir { getattr search };
Comment 15 Jarkko 2007-10-19 16:31:45 EDT
selinux-policy-targeted-2.4.6-106.el5 + exim-4.63-3.el5 + mdadm-2.6.2-4.fc7
---------------------------------------------------------------------------

Oct 19 23:29:01 www kernel: audit(1192825740.135:4): avc:  denied  { getattr }
for  pid=2221 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:29:01 www kernel: audit(1192825740.136:5): avc:  denied  { search }
for  pid=2221 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:29:01 www kernel: audit(1192825741.455:6): avc:  denied  { write } for
 pid=2221 comm="sendmail" name="input" dev=dm-1 ino=3637257
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Oct 19 23:29:01 www kernel: audit(1192825741.464:7): avc:  denied  { append }
for  pid=2221 comm="sendmail" name="main.log" dev=dm-1 ino=1671187
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.465:8): avc:  denied  { append }
for  pid=2221 comm="sendmail" name="main.log" dev=dm-1 ino=1671187
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.492:9): avc:  denied  { append }
for  pid=2221 comm="sendmail" name="panic.log" dev=dm-1 ino=1671188
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.493:10): avc:  denied  { append }
for  pid=2221 comm="sendmail" name="panic.log" dev=dm-1 ino=1671188
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.680:11): avc:  denied  { getattr }
for  pid=2293 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:29:01 www kernel: audit(1192825741.681:12): avc:  denied  { search }
for  pid=2293 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:29:01 www kernel: audit(1192825741.708:13): avc:  denied  { write }
for  pid=2293 comm="sendmail" name="input" dev=dm-1 ino=3637257
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Oct 19 23:29:01 www kernel: audit(1192825741.709:14): avc:  denied  { append }
for  pid=2293 comm="sendmail" name="main.log" dev=dm-1 ino=1671187
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.710:15): avc:  denied  { append }
for  pid=2293 comm="sendmail" name="main.log" dev=dm-1 ino=1671187
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.711:16): avc:  denied  { append }
for  pid=2293 comm="sendmail" name="panic.log" dev=dm-1 ino=1671188
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.712:17): avc:  denied  { append }
for  pid=2293 comm="sendmail" name="panic.log" dev=dm-1 ino=1671188
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.718:18): avc:  denied  { getattr }
for  pid=2302 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:29:01 www kernel: audit(1192825741.719:19): avc:  denied  { search }
for  pid=2302 comm="sh" name="root" dev=md2 ino=272737
scontext=system_u:system_r:mdadm_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Oct 19 23:29:01 www kernel: audit(1192825741.732:20): avc:  denied  { write }
for  pid=2302 comm="sendmail" name="input" dev=dm-1 ino=3637257
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Oct 19 23:29:01 www kernel: audit(1192825741.733:21): avc:  denied  { append }
for  pid=2302 comm="sendmail" name="main.log" dev=dm-1 ino=1671187
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.734:22): avc:  denied  { append }
for  pid=2302 comm="sendmail" name="main.log" dev=dm-1 ino=1671187
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.735:23): avc:  denied  { append }
for  pid=2302 comm="sendmail" name="panic.log" dev=dm-1 ino=1671188
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Oct 19 23:29:01 www kernel: audit(1192825741.736:24): avc:  denied  { append }
for  pid=2302 comm="sendmail" name="panic.log" dev=dm-1 ino=1671188
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file

allow mdadm_t user_home_dir_t:dir { getattr search };
allow system_mail_t var_log_t:file append;
allow system_mail_t var_spool_t:dir write;
Comment 16 Jarkko 2007-10-24 06:13:37 EDT
> allow mdadm_t user_home_dir_t:dir { getattr search };

Either mdadm tries to do something silly or the policy should allow it.


> allow system_mail_t var_log_t:file append;
> allow system_mail_t var_spool_t:dir write;

The policy should allow exim to do those things I guess. They seem like normal
exim operations (adding a log entry + writing the message under /var/spool for
delivery).
Comment 17 Daniel Walsh 2007-10-24 09:18:01 EDT
Yes the problem here is we don't have an exim policy.  So until we add one to
RHEL5.  (U2) this is going to be a problem.

You can modify you SELinux environment to allow these rules using audit2allow

# grep mail /var/log/audit/audit.log | audit2allow -M mymail
# semodule -i mymail.pp
Comment 18 Jarkko 2007-10-24 11:34:58 EDT
Thanks.

What about that "mdadm_t user_home_dir_t:dir { getattr search }"? Is mdadm doing
silly things there or is that a policy issue?
Comment 19 Doug Ledford 2007-10-24 12:28:53 EDT
You manually restarted mdadm when you were in a directory other than /.  Mdadm
doesn't cd to / on startup, and when it calls popen("/usr/sbin/sendmail"); to
send you the mail about the degraded array, popen() spawns a shell to start
sendmail, and that particular denial is the shell's normal startup trying to get
check what directory it is in.  If mdadm is started by the init scripts on
bootup, it's current directory is / and it has permission to search that
directory so selinux doesn't complain.  It's noisy, but harmless.
Comment 20 Jarkko 2007-10-24 13:20:00 EDT
This deny does happen on bootup. And because of this, I get no email from mdadm
about degraded arrays I have at the moment. I didn't restart mdadm manually. I
rebooted the computer.
Comment 21 Jarkko 2007-10-24 13:26:10 EDT
See comment #12 and comment #14 about what happens on bootup.
Comment 22 Jarkko 2007-10-24 13:46:20 EDT
Sorry! Forgot to run "newaliases"...
Comment 23 Daniel Walsh 2007-10-24 13:48:23 EDT
Doug definition is good, but this looks like the directory is /root or it is
doing a getattr on $HOME.  Anyways this is not causing the problem and can be
denied or dontaudited.

If you want to fix this totally, I would boot in permissive mode.  "enforcing=0"

Then once you are up, you should get the email.

Now 

grep sendmail /var/log/audit/audit.log | audit2allow -M mymail
semodule -i mymail.pp

After this it should add all the rules to make this happen.

You can setenforce 1 and mdadm should be able to send mail over exim.
Comment 24 Jarkko 2007-10-24 14:29:22 EDT
My hosts/aliases configuration was bad and therefore sendmail didn't send me
email. Exim is a much easier MTA to use. :)

I do get emails now from mdadm with sendmail when booting the computer up. There
are those denies though (comment #21), but I do get the emails. So it's a bit
messy, but it works (a little harmless bug in mdadm or initscripts).
Comment 25 Jarkko 2007-10-24 15:40:57 EDT
If I understood comment #19 correctly, the popen() call in mdadm spawns a shell,
and that when a shell is spawned, a getattr/search on $HOME is always executed.

The mdmonitor service runs as root and is initially started by init. So I guess
$PWD sure is "/" but $HOME is "/root" (not "/").

That would mean the { getattr search } is normal behaviour and there is no bug
in mdadm or initscripts.

If that is the case, then either

1) the policy should allow those operations to happen

or

2) $HOME should be set to "/" somehow (there are multiple solutions) while
starting mdadm.
Comment 26 Jarkko 2007-10-24 17:06:58 EDT
I just learned from the docs what you meant with dontaudit. :) To have the mdadm
issue totally fixed, the policy should contain:

dontaudit mdadm_t user_home_dir_t:dir { getattr search };
Comment 27 Daniel Walsh 2007-10-25 10:06:53 EDT
Ok I will back port this policy for RHEL5.2  But We still need the leaked file
descriptor fixed.  5.2 should have exim policy also.
Comment 31 Daniel Walsh 2008-02-21 11:13:03 EST
THis bug was mistakenly moved off of on_qa
Comment 32 Petr Šplíchal 2008-03-10 06:08:50 EDT
Mails still cannot be sent from mdmonitor using exim.
Tested with mdadm-2.6.4-1.el5 and selinux-policy-2.4.6-125.el5.

I get this error in /var/log/exim/main.log:
R=userforward defer (-1): failed to open /home/testuser/.forward: Permission
denied (euid=500 egid=500)

I've created a test case for it (available in CVS & RHTS).
mdadm/regression/bz335911-mdmonitor-mail-denial/
Comment 33 Doug Ledford 2008-03-10 14:35:53 EDT
I'm relatively certain that the specific denials you are getting with exim are
*not* the fault of mdadm.  We need an SELinux expert and/or an exim expert to
look over this situation.
Comment 34 Daniel Walsh 2008-03-10 15:37:04 EDT
Yes I agree this is not mdadm bug, but selinux.  What is happening here is the
mail client is trying to read the .forward file in the homedir.  I think if you
remove this, it will work
 
Comment 35 Doug Ledford 2008-03-10 15:57:34 EDT
If we are going to change the component of this bug then I need to remove it
from the current mdadm errata.  This bug was referenced in the current mdadm
errata because there were changes to mdadm in order to silence the audit
problems when using mdmonitor with sendmail.  The operation of mdmonitor and
sendmail now works properly (it isn't reflected here in the bug comments, but in
the QE request for the errata the initial testing was done with exim and it
failed, I then requested that QE test sendmail and it passed instead of having
the audit denies that are listed in the much earlier comments of this bug) and
so we should have something referencing the reason for those changes to mdadm
attached to the errata.

The problem with mdadm and the exim mailer is new, and likely doesn't really
involve mdadm at all since we've pretty much done everything in mdadm possible
(all open files are flagged with close on exec so we don't leak descriptors, and
we do a very simple popen of sendmail, followed by the write, then a close, so
there isn't much of anything else we can do to cause sendmail/exim to function
properly).  I would suggest we put this bug back as mdadm/assigned to me/ON_QA,
limit it's scope to the mdadm/sendmail interactions, and clone just the last few
selinux denial comments as a new bug related to exim/selinux.
Comment 36 Daniel Walsh 2008-03-10 16:07:52 EDT
Ok, Petr open a new bugzilla if you want, since exim is not allowed to read
files in the users homedirs.

I reassigned this bugzilla back to mdadm and put in on_qa.
Comment 37 Doug Ledford 2008-03-10 17:32:48 EDT
Thanks.
Comment 38 Petr Šplíchal 2008-03-11 08:53:11 EDT
Yes, as it is clearly an exim-selinux issue I suggest to go on with solving this
as bug #429843: ([exim] denials when sending from cronjobs) -- it seems to me
that it's the same problem (or at least very close to it):

https://bugzilla.redhat.com/show_bug.cgi?id=429843
Comment 39 Thomas Woerner 2008-03-14 10:39:08 EDT
Using exim as a normal user, exim is delivering mail even with the command used
by mdadm. There are no errors or warnings related to the recipients home
directory or .forward file.

Therefore this is not a exim problem. It seems to be a problem related to selinux.
Comment 40 Daniel Walsh 2008-04-08 11:41:46 EDT
Yes this is an SELinux problem/or a configuration problem.  Not mdadm or exim. 
The question is, do we want to allow mail to read users homedirs when started
from system accounts.  I say no, or at least force the user to modify policy.
Comment 42 Jarkko 2008-04-29 04:42:51 EDT
I'm not sure if you're talking about what I think you are, but here is my thought:

It's very common that exim is configured to read ~/.forward when delivering mail
to the user. Denying this might not be a good idea. Exim does't have to read any
other files from the user's home directory though - .forward will do.
Comment 43 Jarkko 2008-04-29 04:57:51 EDT
Although... Exim should not read .forward when it's used as a mail sending
command (e.g. if I use "echo test | mail user").

Only when exim receives an email as a server and is then delivering it to the
user, it should read .forward. That behavior should naturally be allowed. (This
might already work though because isn't that part of the delivery executed as
the receiving user... I'm not sure now though.)

But it sounds like the sending command tries to read .forward, and that is
strange, if that is happening. Then it sounds like an exim bug to me.

Apparently the discussion about this should happen in bug #429843. Sorry for
commenting here. I just wanted to correct my previous comment. :)
Comment 44 errata-xmlrpc 2008-05-21 11:34:12 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0410.html

Note You need to log in before you can comment on or make changes to this bug.