Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-8.10
Affects Version/s: rhel-8.10
Component/s: selinux-policy
Labels:
- AutoVerified

Fixed in Build:
selinux-policy-3.14.3-134.el8
Regression:
None
Severity:
Medium

Pool Team:

sst_security_selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
21
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Acceptance Criteria:

Hide

Processes running under mdadm_t do not trigger any SELinux denials when the /dev/stratis directory exists.

Show
Processes running under mdadm_t do not trigger any SELinux denials when the /dev/stratis directory exists.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/121335
Test Coverage:

Automated

Release Note Type:
Release Note Not Required

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

SELinux denials appear when mdadm is used on machines where stratis filesystems are configured.

NVRs:
mdadm-4.2-13.el8.x86_64
selinux-policy-3.14.3-133.el8.noarch
selinux-policy-devel-3.14.3-133.el8.noarch
selinux-policy-targeted-3.14.3-133.el8.noarch
stratis-cli-2.4.2-1.el8.noarch
stratisd-2.4.2-2.el8.x86_64

Expected results:

no SELinux denials

Actual results (enforcing mode):

----
type=PROCTITLE msg=audit(01/11/2024 12:25:01.019:358) : proctitle=/usr/sbin/mdadm --detail --no-devices --export /dev/md0 
type=PATH msg=audit(01/11/2024 12:25:01.019:358) : item=0 name=stratis inode=42187 dev=00:06 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:stratisd_data_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/11/2024 12:25:01.019:358) : cwd=/ 
type=SYSCALL msg=audit(01/11/2024 12:25:01.019:358) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0x4 a1=0x5561b650010b a2=0x7ffe6a9557e0 a3=0x100 items=1 ppid=32403 pid=32409 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/11/2024 12:25:01.019:358) : avc:  denied  { getattr } for  pid=32409 comm=mdadm path=/dev/stratis dev="devtmpfs" ino=42187 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=dir permissive=0 
----

clones

RHEL-19276 AVC appears when mdadm checks the /dev/stratis location [rhel-9]

Closed

links to

RHBA-2023:121335 selinux-policy bug fix and enhancement update

TCMS Test Case 281928

mentioned on

Merge request - * Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-134

Assignee:: Zdenek Pytela

Reporter:: Dennis Keefe

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/01/11 5:38 PM

Updated:: 2024/09/06 12:27 PM

Resolved:: 2024/05/22 9:54 AM

Target end:: 2024/01/22

Release Date:: 2024/05/22

Details

Description

Attachments

Issue Links

Activity

People

Dates