Description of problem: SELinux is preventing /usr/bin/bash from 'read' accesses on the file /usr/sbin/mdadm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed read access on the mdadm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:mdadm_exec_t:s0 Target Objects /usr/sbin/mdadm [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.2.39-2.fc17.x86_64 Target RPM Packages mdadm-3.2.6-8.fc17.x86_64 Policy RPM selinux-policy-3.10.0-166.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.6.11-5.fc17.x86_64 #1 SMP Tue Jan 8 21:40:51 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-01-20 12:11:08 NZDT Last Seen 2013-01-20 12:11:08 NZDT Local ID 6b515517-a712-421c-ae0a-9b8987b31bbd Raw Audit Messages type=AVC msg=audit(1358637068.766:87): avc: denied { read } for pid=2110 comm="sh" name="mdadm" dev="dm-4" ino=152359 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1358637068.766:87): arch=x86_64 syscall=access success=no exit=EACCES a0=25e77d0 a1=4 a2=7fff9ecaae70 a3=20 items=0 ppid=2109 pid=2110 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=sh exe=/usr/bin/bash subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Hash: sh,logwatch_t,mdadm_exec_t,file,read audit2allow #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file read; audit2allow -R #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file read; Additional info: hashmarkername: setroubleshoot kernel: 3.6.11-5.fc17.x86_64 type: libreport Potential duplicate: bug 901468
Any idea why logwatch is touch mdadm?
Recently a new mdadm script has been added to logwatch: http://old.nabble.com/Fwd:-support-for-mdadm-on-linux-td16407756.html An improving patch is now submitted for testing: http://sourceforge.net/mailarchive/forum.php?thread_name=50FD969C.8050208%40cora.nwra.com&forum_name=logwatch-devel http://koji.fedoraproject.org/koji/buildinfo?buildID=379889 This problem doesn't seem to happen on F18.
Added a fix.
Hi, I should note I am using packages from updates-testing, as this may make a small difference. I should also note, it is not just a "read" error that occurs, it also appears to have an "exec" error at the same time. I have just updated to logwatch-7.4.0-23.20130102svn127.fc17.noarch so I will see if that stops this from occurring again, or I will update the bug with more alerts.
Update on the errors: SELinux is preventing /usr/bin/bash from read access on the file /usr/sbin/mdadm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed read access on the mdadm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:mdadm_exec_t:s0 Target Objects /usr/sbin/mdadm [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host tighnacheo.pro.local Source RPM Packages bash-4.2.39-2.fc17.x86_64 Target RPM Packages mdadm-3.2.6-8.fc17.x86_64 Policy RPM selinux-policy-3.10.0-166.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tighnacheo.pro.local Platform Linux tighnacheo.pro.local 3.7.3-101.fc17.x86_64 #1 SMP Fri Jan 18 17:40:57 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-01-26 03:46:05 NZDT Last Seen 2013-01-26 03:46:05 NZDT Local ID 6820e3dc-0616-47ed-bca2-42df008ecb62 Raw Audit Messages type=AVC msg=audit(1359125165.231:181): avc: denied { read } for pid=3673 comm="sh" name="mdadm" dev="dm-4" ino=152359 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1359125165.231:181): arch=x86_64 syscall=access success=no exit=EACCES a0=18072d0 a1=4 a2=7fff5eaf6fb0 a3=20 items=0 ppid=3672 pid=3673 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Hash: sh,logwatch_t,mdadm_exec_t,file,read audit2allow #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file read; audit2allow -R #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file read;
SELinux is preventing /usr/bin/bash from execute access on the file /usr/sbin/mdadm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed execute access on the mdadm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:mdadm_exec_t:s0 Target Objects /usr/sbin/mdadm [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host tighnacheo.pro.local Source RPM Packages bash-4.2.39-2.fc17.x86_64 Target RPM Packages mdadm-3.2.6-8.fc17.x86_64 Policy RPM selinux-policy-3.10.0-166.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tighnacheo.pro.local Platform Linux tighnacheo.pro.local 3.7.3-101.fc17.x86_64 #1 SMP Fri Jan 18 17:40:57 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-01-26 03:46:05 NZDT Last Seen 2013-01-26 03:46:05 NZDT Local ID 32c14880-07b4-4006-832b-29b09841b901 Raw Audit Messages type=AVC msg=audit(1359125165.231:180): avc: denied { execute } for pid=3673 comm="sh" name="mdadm" dev="dm-4" ino=152359 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1359125165.231:180): arch=x86_64 syscall=access success=no exit=EACCES a0=18072d0 a1=1 a2=7fff5eaf6fb0 a3=20 items=0 ppid=3672 pid=3673 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Hash: sh,logwatch_t,mdadm_exec_t,file,execute audit2allow #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file execute; audit2allow -R #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file execute;
These are the packages I have installed $ rpm -qa logwatch logwatch-7.4.0-23.20130102svn127.fc17.noarch $ rpm -qa selinux-* selinux-policy-devel-3.10.0-166.fc17.noarch selinux-policy-targeted-3.10.0-166.fc17.noarch selinux-policy-3.10.0-166.fc17.noarch
This happens every day during script "cron_daily" execution. Package: (null) OS Release: Fedora release 17 (Beefy Miracle)
Fix seems to be in F18 but not in F17
It also has been added to F17 in git.
selinux-policy-3.10.0-167.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-167.fc17
Package selinux-policy-3.10.0-167.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-167.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1971/selinux-policy-3.10.0-167.fc17 then log in and leave karma (feedback).
I am also seeing something similar for F18. The source process: /usr/bin/bash Attempted this access: execute_no_trans On this file: /usr/sbin/mdadm The solution offered is to report this as a bug and use audit2allow to allow it. Fedora 18 x86_64 kernel 3.7.5-201.fc18.x86_64 selinux-policy-targeted-3.11.1-73.fc18.noarch selinux-policy-3.11.1-73.fc18.noarch
Yes, please also update the policy on F18 for updates-testing repo.
*** Bug 908590 has been marked as a duplicate of this bug. ***
Package selinux-policy-3.10.0-167.fc17 fixed the problem for me.
Thank you for testing.
Just started in last few days so some update must be causing this? Package: (null) OS Release: Fedora release 17 (Beefy Miracle)
If I am not using mdadm functions (no RAID, etc), would commenting out the only active line in /usr/share/logwatch/default.conf/services/mdadm.conf make any difference? Would it damage anything to bypass that service? The line in question is: LogFile = messages If that stops the messages, would that help isolate where this fault is occurring?
no remarks, I don't know how the failure was produced. I'm afraid of the the bash process because I don't know about this.... Package: (null) OS Release: Fedora release 17 (Beefy Miracle)
I have installed the packages from updates-testing, and I am not seeing this alert any more $ rpm -qa | grep selinux selinux-policy-3.10.0-167.fc17.noarch selinux-policy-targeted-3.10.0-167.fc17.noarch $ rpm -qa | grep logwatch logwatch-7.4.0-23.20130102svn127.fc17.noarch I think this can be pushed to stable updates
selinux-policy-3.10.0-167.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.