Bug 443950 - avc: denied { getattr } for comm="mdadm" path="/dev/.udev"
avc: denied { getattr } for comm="mdadm" path="/dev/.udev"
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-24 05:59 EDT by Milan Zazrivec
Modified: 2008-05-21 12:43 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:43:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
this is the full avc log when setenforce 0 (825 bytes, text/plain)
2008-04-24 11:18 EDT, Milan Zazrivec
no flags Details
avc log with permissive (selinux-policy-targeted-2.4.6-136.el5) (682 bytes, text/plain)
2008-04-29 06:57 EDT, Milan Zazrivec
no flags Details

  None (edit)
Description Milan Zazrivec 2008-04-24 05:59:06 EDT
Description of problem:
/etc/init.d/mdmonitor start causes avc denial on a system with RAID1

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-135.el5 / RHEL5.2-Server-20080424.nightly

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL5.2 snapshot with / on RAID1
2. # dmesg |grep avc:\ *denied
3. # grep avc:\ *denied /var/log/audit/audit.log
  
Actual results:
type=AVC msg=audit(1209029426.754:10): avc:  denied  { getattr } for  pid=1678
comm="mdadm" path="/dev/.udev" dev=tmpfs ino=2021
scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_tbl_t:s0
tclass=dir

Additional info:
This is what the raid1 kickstart setup looks like:
clearpart --all
part /boot --size 200
part swap --recommended
part None --fstype "PPC PReP Boot" --size 8
part raid.01 --size 2048 --grow
part raid.02 --size 2048 --grow
raid / --level 1 --device md0 raid.01 raid.02
Comment 1 Milan Zazrivec 2008-04-24 10:07:18 EDT
Doug, does this avc denial have some serious impact on mdadm functionality
(and therefore should be fixed in RHEL5.2) or can it be deferred for RHEL5.3?

Thank you.
Comment 2 Milan Zazrivec 2008-04-24 11:18:31 EDT
Created attachment 303643 [details]
this is the full avc log when setenforce 0
Comment 3 Doug Ledford 2008-04-24 11:39:18 EDT
Well, if you are going to ask me a question in a bug, it's usually best to make
sure I'm either assigned to the bug or at least cc'ed on the bug ;-)  Setting
the bug to needinfo from a person doesn't mean they get an email about it (at
least I didn't get one).

Now, that said, I don't have an answer for you.  If the install succeeds, then
I'm guessing it's not that important, but until I review the code to find out
why it's trying to open that file I won't know what it's looking for but not
getting.
Comment 4 Doug Ledford 2008-04-24 13:11:06 EDT
I can't find any point in the mdadm code where it attempts to open or otherwise
have anything to do with /dev/.udev.
Comment 5 Milan Zazrivec 2008-04-24 15:02:49 EDT
The denial occurs only when mdadm is started with initscript:
# /etc/init.d/mdmonitor start

When you run:
# mdadm --monitor --scan -f --pid-file=/var/run/mdadm/mdadm.pid
as root, there's no avc denial whatsoever.
Comment 6 Doug Ledford 2008-04-24 15:30:25 EDT
Do the denials happen if you log in as root and run /etc/init.d/mdmonitor stop;
/etc/init.d/mdmonitor start?  In other words, does this only happen when
mdmonitor is started by the system init scripts at bootup or does it happen any
time mdmonitor is run including from the command line?
Comment 7 Milan Zazrivec 2008-04-24 15:39:07 EDT
The denial occurs everytime mdmonitor is started. That means when you
log in as root and run /etc/init.d/mdmonitor stop; /etc/init.d/mdmonitor start;
or when the service is started during system bootup. Same thing.
Comment 8 Daniel Walsh 2008-04-28 10:48:30 EDT
mdmonitor is running getattr on every file/directory in /dev.

This is the equivalent of doing an ls /dev

SELinux does not allow mdmonitor to look at the /dev/.udev directory so it
generates and AVC.  This can be ignored.  I will put in a dontaudit rule and if
we need to update policy we can get the Fix for u2.
Comment 9 Daniel Walsh 2008-04-28 10:57:33 EDT
Actually looking at this further, the current policy is supposed to allow
mdadm_t to read these files, so it should allow reading the directory.

Fixed in selinux-policy-2.4.6-136.el5 
Comment 11 Milan Zazrivec 2008-04-29 06:57:51 EDT
Created attachment 304105 [details]
avc log with permissive (selinux-policy-targeted-2.4.6-136.el5)
Comment 12 Daniel Walsh 2008-04-29 08:40:59 EDT
Fixed in selinux-policy-2.4.6-137.el5 
Comment 20 errata-xmlrpc 2008-05-21 12:43:38 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.