Bug 443950 - avc: denied { getattr } for comm="mdadm" path="/dev/.udev"
Summary: avc: denied { getattr } for comm="mdadm" path="/dev/.udev"
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted   
(Show other bugs)
Version: 5.2
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2008-04-24 09:59 UTC by Milan Zázrivec
Modified: 2008-05-21 16:43 UTC (History)
3 users (show)

Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 16:43:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
this is the full avc log when setenforce 0 (825 bytes, text/plain)
2008-04-24 15:18 UTC, Milan Zázrivec
no flags Details
avc log with permissive (selinux-policy-targeted-2.4.6-136.el5) (682 bytes, text/plain)
2008-04-29 10:57 UTC, Milan Zázrivec
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0465 normal SHIPPED_LIVE selinux-policy bug fix update 2008-05-20 14:36:31 UTC

Description Milan Zázrivec 2008-04-24 09:59:06 UTC
Description of problem:
/etc/init.d/mdmonitor start causes avc denial on a system with RAID1

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-135.el5 / RHEL5.2-Server-20080424.nightly

How reproducible:

Steps to Reproduce:
1. Install RHEL5.2 snapshot with / on RAID1
2. # dmesg |grep avc:\ *denied
3. # grep avc:\ *denied /var/log/audit/audit.log
Actual results:
type=AVC msg=audit(1209029426.754:10): avc:  denied  { getattr } for  pid=1678
comm="mdadm" path="/dev/.udev" dev=tmpfs ino=2021
scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_tbl_t:s0

Additional info:
This is what the raid1 kickstart setup looks like:
clearpart --all
part /boot --size 200
part swap --recommended
part None --fstype "PPC PReP Boot" --size 8
part raid.01 --size 2048 --grow
part raid.02 --size 2048 --grow
raid / --level 1 --device md0 raid.01 raid.02

Comment 1 Milan Zázrivec 2008-04-24 14:07:18 UTC
Doug, does this avc denial have some serious impact on mdadm functionality
(and therefore should be fixed in RHEL5.2) or can it be deferred for RHEL5.3?

Thank you.

Comment 2 Milan Zázrivec 2008-04-24 15:18:31 UTC
Created attachment 303643 [details]
this is the full avc log when setenforce 0

Comment 3 Doug Ledford 2008-04-24 15:39:18 UTC
Well, if you are going to ask me a question in a bug, it's usually best to make
sure I'm either assigned to the bug or at least cc'ed on the bug ;-)  Setting
the bug to needinfo from a person doesn't mean they get an email about it (at
least I didn't get one).

Now, that said, I don't have an answer for you.  If the install succeeds, then
I'm guessing it's not that important, but until I review the code to find out
why it's trying to open that file I won't know what it's looking for but not

Comment 4 Doug Ledford 2008-04-24 17:11:06 UTC
I can't find any point in the mdadm code where it attempts to open or otherwise
have anything to do with /dev/.udev.

Comment 5 Milan Zázrivec 2008-04-24 19:02:49 UTC
The denial occurs only when mdadm is started with initscript:
# /etc/init.d/mdmonitor start

When you run:
# mdadm --monitor --scan -f --pid-file=/var/run/mdadm/mdadm.pid
as root, there's no avc denial whatsoever.

Comment 6 Doug Ledford 2008-04-24 19:30:25 UTC
Do the denials happen if you log in as root and run /etc/init.d/mdmonitor stop;
/etc/init.d/mdmonitor start?  In other words, does this only happen when
mdmonitor is started by the system init scripts at bootup or does it happen any
time mdmonitor is run including from the command line?

Comment 7 Milan Zázrivec 2008-04-24 19:39:07 UTC
The denial occurs everytime mdmonitor is started. That means when you
log in as root and run /etc/init.d/mdmonitor stop; /etc/init.d/mdmonitor start;
or when the service is started during system bootup. Same thing.

Comment 8 Daniel Walsh 2008-04-28 14:48:30 UTC
mdmonitor is running getattr on every file/directory in /dev.

This is the equivalent of doing an ls /dev

SELinux does not allow mdmonitor to look at the /dev/.udev directory so it
generates and AVC.  This can be ignored.  I will put in a dontaudit rule and if
we need to update policy we can get the Fix for u2.

Comment 9 Daniel Walsh 2008-04-28 14:57:33 UTC
Actually looking at this further, the current policy is supposed to allow
mdadm_t to read these files, so it should allow reading the directory.

Fixed in selinux-policy-2.4.6-136.el5 

Comment 11 Milan Zázrivec 2008-04-29 10:57:51 UTC
Created attachment 304105 [details]
avc log with permissive (selinux-policy-targeted-2.4.6-136.el5)

Comment 12 Daniel Walsh 2008-04-29 12:40:59 UTC
Fixed in selinux-policy-2.4.6-137.el5 

Comment 20 errata-xmlrpc 2008-05-21 16:43:38 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.