Description of problem: SELinux is preventing /usr/bin/bash from read, open access on the file /usr/sbin/mdadm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed read open access on the mdadm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:mdadm_exec_t:s0 Target Objects /usr/sbin/mdadm [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.2.42-1.fc18.x86_64 Target RPM Packages mdadm-3.2.6-12.fc18.x86_64 Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.8.0-0.rc4.git1.1.vanilla.mainlin e.knurd.1.fc18.x86_64 #1 SMP Tue Jan 22 07:08:50 UTC 2013 x86_64 x86_64 Alert Count 5 First Seen 2013-01-23 03:07:03 UTC Last Seen 2013-01-25 17:45:06 UTC Local ID c019ad47-8f52-49c4-9514-c4b0e50114ae Raw Audit Messages type=AVC msg=audit(1359135906.229:361): avc: denied { read open } for pid=3609 comm="sh" path="/usr/sbin/mdadm" dev="dm-1" ino=14617 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1359135906.229:361): arch=x86_64 syscall=execve success=no exit=EACCES a0=1fc0330 a1=1fc0b20 a2=1fc0880 a3=20 items=0 ppid=3608 pid=3609 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=3 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Hash: sh,logwatch_t,mdadm_exec_t,file,read,open audit2allow #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file { read open }; audit2allow -R #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file { read open }; Additional info: hashmarkername: setroubleshoot kernel: 3.8.0-0.rc4.git1.1.vanilla.mainline.knurd.1.fc18.x86_64 type: libreport
FIxed in selinux-policy-3.11.1-73.fc18
I do have selinux-policy-3.11.1-73.fc18 installed
Added additional fixes to selinux-policy-3.11.1-74.fc18
selinux-policy-3.11.1-74.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-74.fc18
Still seeing the alerts with selinux-policy-3.11.1-74.fc18, ties in with the system running system cron jobs, logwatch etc
You are right, the appropriate interface is not call. commit 206b0ddf97d2b1f08028e1570067a6e30907ad34 Author: Miroslav Grepl <mgrepl> Date: Fri Feb 1 10:47:08 2013 +0100 Allow logwatch to domtrans to mdadm Fixed in selinux-policy-3.11.1-75.fc18
Package selinux-policy-3.11.1-74.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-74.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1693/selinux-policy-3.11.1-74.fc18 then log in and leave karma (feedback).
I guess this happens during a run of logwatch. Package: (null) OS Release: Fedora release 18 (Spherical Cow)
Updated to selinux-policy-3.11.1-75.fc18 and all is fine. No alerts with the system cron jobs and logwatch.
Could you update karma. Thank you for testing.
selinux-policy-3.11.1-74.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.11.1-74.fc18.noarch doesn't seem to solve the problem: SELinux is preventing /usr/bin/bash from 'read, open' accesses on the file /usr/sbin/mdadm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed read open access on the mdadm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:mdadm_exec_t:s0 Target Objects /usr/sbin/mdadm [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.2.42-3.fc18.x86_64 Target RPM Packages mdadm-3.2.6-12.fc18.x86_64 Policy RPM selinux-policy-3.11.1-74.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux gaai.mullender.nl 3.7.5-201.fc18.x86_64 #1 SMP Mon Jan 28 19:54:41 UTC 2013 x86_64 x86_64 Alert Count 7 First Seen 2013-02-02 18:07:02 CET Last Seen 2013-02-08 18:45:03 CET Local ID 9d0b4547-6d42-41cf-ae63-474c141b9cf6 Raw Audit Messages type=AVC msg=audit(1360345503.580:383): avc: denied { read open } for pid=2987 comm="sh" path="/usr/sbin/mdadm" dev="sdb1" ino=42794 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1360345503.580:383): arch=x86_64 syscall=execve success=no exit=EACCES a0=1b02330 a1=1b02b20 a2=1b02880 a3=7ffff5809d00 items=0 ppid=2986 pid=2987 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Hash: sh,logwatch_t,mdadm_exec_t,file,read,open audit2allow #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file { read open }; audit2allow -R #============= logwatch_t ============== allow logwatch_t mdadm_exec_t:file { read open };
Please use the latest policy # yum update selinux-policy-targeted --enablerepo=updates-testing