Description of problem: /etc/init.d/mdmonitor start causes avc denial on a system with RAID1 Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-135.el5 / RHEL5.2-Server-20080424.nightly How reproducible: Always Steps to Reproduce: 1. Install RHEL5.2 snapshot with / on RAID1 2. # dmesg |grep avc:\ *denied 3. # grep avc:\ *denied /var/log/audit/audit.log Actual results: type=AVC msg=audit(1209029426.754:10): avc: denied { getattr } for pid=1678 comm="mdadm" path="/dev/.udev" dev=tmpfs ino=2021 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_tbl_t:s0 tclass=dir Additional info: This is what the raid1 kickstart setup looks like: clearpart --all part /boot --size 200 part swap --recommended part None --fstype "PPC PReP Boot" --size 8 part raid.01 --size 2048 --grow part raid.02 --size 2048 --grow raid / --level 1 --device md0 raid.01 raid.02
Doug, does this avc denial have some serious impact on mdadm functionality (and therefore should be fixed in RHEL5.2) or can it be deferred for RHEL5.3? Thank you.
Created attachment 303643 [details] this is the full avc log when setenforce 0
Well, if you are going to ask me a question in a bug, it's usually best to make sure I'm either assigned to the bug or at least cc'ed on the bug ;-) Setting the bug to needinfo from a person doesn't mean they get an email about it (at least I didn't get one). Now, that said, I don't have an answer for you. If the install succeeds, then I'm guessing it's not that important, but until I review the code to find out why it's trying to open that file I won't know what it's looking for but not getting.
I can't find any point in the mdadm code where it attempts to open or otherwise have anything to do with /dev/.udev.
The denial occurs only when mdadm is started with initscript: # /etc/init.d/mdmonitor start When you run: # mdadm --monitor --scan -f --pid-file=/var/run/mdadm/mdadm.pid as root, there's no avc denial whatsoever.
Do the denials happen if you log in as root and run /etc/init.d/mdmonitor stop; /etc/init.d/mdmonitor start? In other words, does this only happen when mdmonitor is started by the system init scripts at bootup or does it happen any time mdmonitor is run including from the command line?
The denial occurs everytime mdmonitor is started. That means when you log in as root and run /etc/init.d/mdmonitor stop; /etc/init.d/mdmonitor start; or when the service is started during system bootup. Same thing.
mdmonitor is running getattr on every file/directory in /dev. This is the equivalent of doing an ls /dev SELinux does not allow mdmonitor to look at the /dev/.udev directory so it generates and AVC. This can be ignored. I will put in a dontaudit rule and if we need to update policy we can get the Fix for u2.
Actually looking at this further, the current policy is supposed to allow mdadm_t to read these files, so it should allow reading the directory. Fixed in selinux-policy-2.4.6-136.el5
Created attachment 304105 [details] avc log with permissive (selinux-policy-targeted-2.4.6-136.el5)
Fixed in selinux-policy-2.4.6-137.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html