-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.3.0
-
selinux-policy-38.1.30-1.el9
-
None
-
Moderate
-
rhel-sst-security-selinux
-
ssg_security
-
20
-
None
-
QE ack
-
False
-
-
No
-
None
-
-
Pass
-
Automated
-
Release Note Not Required
-
None
AVC messages found when using mdadm (raid) with Stratis.
Example:
Create a raid array
mdadm --create -f /dev/md127 --raid-device4 --level=5 /dev/nvme0n1p2 /dev/nvme0n1p3 /dev/nvme0n1p4 /dev/nvme0n1p5
Setup the pool
stratis key set testkey --capture-key
stratis pool create --key-desc testkey p0 /dev/md127
stratis fs create p0 fs1
mdadm --add /dev/md127 /dev/nvme0n1p1
mdadm --grow --raid-devices=5 /dev/md127
Logs when growing the MD device
Aug 25 11:47:28 everett-04.lab4.eng.bos.redhat.com kernel: md: reshape of RAID array md127
Aug 25 11:48:18 everett-04.lab4.eng.bos.redhat.com kernel: md: md127: reshape done.
Aug 25 11:48:18 everett-04.lab4.eng.bos.redhat.com kernel: md127: detected capacity change from 52678656 to 70238208
Aug 25 11:48:18 everett-04.lab4.eng.bos.redhat.com systemd[1]: Started dbus-:1.2-org.fedoraproject.Setroubleshootd@3.service.
Aug 25 11:48:18 everett-04.lab4.eng.bos.redhat.com stratisd[974]: [2022-08-25T15:48:18Z DEBUG stratisd::engine::strat_engine::backstore::crypt::shared] Stratis LUKS2 token: {"activation_name":"stratis-1-private-65bda21acead451eaa7929b8cb8af305-crypt","device_uuid":"65bda21a-cead-451e-aa79-29b8cb8af305","keyslots":[],"pool_uuid":"d449cbb6-ef31-4a74-9495-a47a42817451","type":"stratis"}
Aug 25 11:48:18 everett-04.lab4.eng.bos.redhat.com stratisd[974]: [2022-08-25T15:48:18Z DEBUG stratisd::engine::strat_engine::liminal::identify] Stratis block device with LUKS device description: Stratis pool UUID: "d449cbb6-ef31-4a74-9495-a47a42817451", Stratis device UUID: "65bda21a-cead-451e-aa79-29b8cb8af305", device number: "9:127", devnode: "/dev/md127", key description: "testkey", no Clevis information identified
Aug 25 11:48:18 everett-04.lab4.eng.bos.redhat.com stratisd[974]: [2022-08-25T15:48:18Z DEBUG stratisd::engine::strat_engine::backstore::crypt::shared] Stratis LUKS2 token: {"activation_name":"stratis-1-private-65bda21acead451eaa7929b8cb8af305-crypt","device_uuid":"65bda21a-cead-451e-aa79-29b8cb8af305","keyslots":[],"pool_uuid":"d449cbb6-ef31-4a74-9495-a47a42817451","type":"stratis"}
Aug 25 11:48:18 everett-04.lab4.eng.bos.redhat.com stratisd[974]: [2022-08-25T15:48:18Z DEBUG stratisd::engine::strat_engine::liminal::identify] Stratis block device with LUKS device description: Stratis pool UUID: "d449cbb6-ef31-4a74-9495-a47a42817451", Stratis device UUID: "65bda21a-cead-451e-aa79-29b8cb8af305", device number: "9:127", devnode: "/dev/md127", key description: "testkey", no Clevis information identified
Aug 25 11:48:18 everett-04.lab4.eng.bos.redhat.com setroubleshoot[3255718]: AnalyzeThread.run(): Cancel pending alarm
Aug 25 11:48:18 everett-04.lab4.eng.bos.redhat.com setroubleshoot[3255718]: failed to retrieve rpm info for /dev/stratis
Aug 25 11:48:18 everett-04.lab4.eng.bos.redhat.com systemd[1]: Started dbus-:1.2-org.fedoraproject.SetroubleshootPrivileged@3.service.
Aug 25 11:48:19 everett-04.lab4.eng.bos.redhat.com setroubleshoot[3255718]: SELinux is preventing /usr/sbin/mdadm from getattr access on the directory /dev/stratis. For complete SELinux messages run: sealert -l ce31f359-76c3-442b-8356-014344a62ded
Aug 25 11:48:19 everett-04.lab4.eng.bos.redhat.com setroubleshoot[3255718]: SELinux is preventing /usr/sbin/mdadm from getattr access on the directory /dev/stratis.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that mdadm should be allowed getattr access on the stratis directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mdadm' --raw | audit2allow -M my-mdadm
# semodule -X 300 -i my-mdadm.pp
-------------------------------------------------------------------------------------------------------------------
Support case https://access.redhat.com/support/cases/#/case/03684928 suggests that the issue can occur by just setting up RAID and Stratis without the extra steps.
Output from the support case.
- ausearch -c 'mdadm' --raw | audit2allow -M my-mdadm
- semodule -X 300 -i my-mdadm.pp
Additional Information:
Source Context system_u:system_r:mdadm_t:s0
Target Context system_u:object_r:stratisd_data_t:s0
Target Objects /dev/stratis [ dir ]
Source mdadm
Source Path /usr/sbin/mdadm
Port <Unknown>
Host d1.infa-001.lab.rdu2.dc.redhat.com
Source RPM Packages mdadm-4.2-9.el9.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.1.23-1.el9.noarch
Local Policy RPM selinux-policy-targeted-38.1.23-1.el9.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name d1.infa-001.lab.rdu2.dc.redhat.com
Platform Linux d1.infa-001.lab.rdu2.dc.redhat.com
5.14.0-362.8.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC
Tue Oct 3 11:12:36 EDT 2023 x86_64 x86_64
Alert Count 246
First Seen 2023-12-07 14:45:37 EST
Last Seen 2023-12-07 20:54:30 EST
Local ID 3334f8b8-43a7-4951-b483-445fe0feeca2
Raw Audit Messages
type=AVC msg=audit(1702000470.500:592): avc: denied { getattr } for pid=67723 comm="mdadm" path="/dev/stratis" dev="devtmpfs" ino=1431 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1702000470.500:592): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=7 a1=56165ab790a3 a2=7ffe9b858c20 a3=100 items=0 ppid=67722 pid=67723 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0 key=(null)
Hash: mdadm,mdadm_t,stratisd_data_t,dir,getattr
- is cloned by
-
-
- Closed
-
- links to
-
RHBA-2023:121166
selinux-policy bug fix and enhancement update